This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vikaspathak022
Participant
‎2022-11-23 04:00 AM

FQDN Rules are not getting matched and traffic is getting dropped on the Firewall, under Cleanup Rul

Hi Team,

 

We are using Gateway on the AWS, Version is R80.40 and we are facing a Strange issue that, the rules which are created on the Basis of FQDN's are not getting Matched on the firewall, traffic is getting drop  by Clean up rule. We did following.

1. Failover.

2. Reboot both the firewalls.

3. DNS Cache increment of the Firewall.

 

Need expert Guidance on this to proceed further.

 

To mitigate this Situation we are creating IP Based rule and it works fine.

0 Kudos
13 Replies
_Val_
Admin
Admin
‎2022-11-23 05:43 AM

Before anything else, check if your FW can resolve those FQDN objects into IPs by names

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2022-11-23 05:47 AM

@_Val_ brings up very logical point indeed, If what he says fails, then it would make sense why you have this issue.

Can you run below and see what you get? Below is an example from my lab. This is brand new R81.20 lab, but output would look pretty much the same on any version.

[Expert@quantum_gateway:0]# curl_cli -k google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
[Expert@quantum_gateway:0]#

Best,
Andy
0 Kudos
Vikaspathak022
Participant
‎2022-11-23 06:14 AM
In response to the_rock

Well Yes its happening from the firewall, Firewall can resolve the domain names, infect, its working in the rules also, but some times we can see drops on the firewall on the cleanup rule and sometimes we can its getting allowed on the rule created for the traffic.

curl_cli -k google.com: What is impact of this, our environment is bit critical and unstable to do such tests, normal nslookup i did and it worked.

 

0 Kudos
_Val_
Admin
Admin
‎2022-11-23 07:04 AM
In response to Vikaspathak022

It sounds like you have some performance issues, is this correct? What is the average CPU utilization on the GW?

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-11-23 07:19 AM
In response to Vikaspathak022

Are clients using the same DNS resolution path as the firewalls? My bet is they're not, and the clients are getting different IPs back from DNS.

0 Kudos
Vikaspathak022
Participant
‎2022-11-23 07:50 AM
In response to Bob_Zimmerman

Avg Utilization of the Firewalls are ~ 30 to 35% and clients are also have the same DNS and they are working fine. This issue with the Firewalls also is intermittent.

0 Kudos
Vikaspathak022
Participant
‎2022-11-23 08:28 AM
In response to Bob_Zimmerman

CPU is between 30 to 35%, Hosts are also having the Same DNS configured but they are not facing any issue.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-23 10:57 AM

I'd try applying the current recommended JHF for R80.40.
If you're still having issues, a TAC case is probably warranted.

Mike_Jensen
Advisor
‎2022-11-23 05:20 PM

Are the hosts behind the gateways using the same DNS server(s) as the gateways?

I had a scenario once where the DNS servers were not the same and with load balanced public servers different DNS servers would return different results for the same FQDN.

once I configured my gateways to use the same DNS servers as the hosts behind them the FQDN’s resolved to the same IP  and the intended rule was matched every time.

Vikaspathak022
Participant
‎2022-11-24 12:27 AM
In response to Mike_Jensen

@Mike_Jensen Well, How this can be possible in the Global Infra, as these gateways are in the AWS DC, and users globally are coming to the Central DC, we can not have a central DNS for all the global Users, and the user who are having the Similar DNS as gateway also face this issue.

 

@PhoneBoy can you please share any link or SK for the JHF.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-24 07:31 AM
In response to Vikaspathak022

https://sc1.checkpoint.com/documents/Jumbo_HFA/R80.40/R80.40/R80.40_Downloads.htm

0 Kudos
Vikaspathak022
Participant
‎2022-11-29 12:56 AM
In response to PhoneBoy

Thanks @PhoneBoy for the suggestion, we have performed the same thing on our firewalls, moved firewall from Take 119 JHF to 180 JHF, but problem still persists, looking for more guidance.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-29 06:22 AM
In response to Vikaspathak022

Recommend engaging with the TAC to troubleshoot.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events