- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hi Team,
We are using Gateway on the AWS, Version is R80.40 and we are facing a Strange issue that, the rules which are created on the Basis of FQDN's are not getting Matched on the firewall, traffic is getting drop by Clean up rule. We did following.
1. Failover.
2. Reboot both the firewalls.
3. DNS Cache increment of the Firewall.
Need expert Guidance on this to proceed further.
To mitigate this Situation we are creating IP Based rule and it works fine.
Before anything else, check if your FW can resolve those FQDN objects into IPs by names
@_Val_ brings up very logical point indeed, If what he says fails, then it would make sense why you have this issue.
Can you run below and see what you get? Below is an example from my lab. This is brand new R81.20 lab, but output would look pretty much the same on any version.
[Expert@quantum_gateway:0]# curl_cli -k google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
[Expert@quantum_gateway:0]#
Well Yes its happening from the firewall, Firewall can resolve the domain names, infect, its working in the rules also, but some times we can see drops on the firewall on the cleanup rule and sometimes we can its getting allowed on the rule created for the traffic.
curl_cli -k google.com: What is impact of this, our environment is bit critical and unstable to do such tests, normal nslookup i did and it worked.
It sounds like you have some performance issues, is this correct? What is the average CPU utilization on the GW?
Are clients using the same DNS resolution path as the firewalls? My bet is they're not, and the clients are getting different IPs back from DNS.
Avg Utilization of the Firewalls are ~ 30 to 35% and clients are also have the same DNS and they are working fine. This issue with the Firewalls also is intermittent.
CPU is between 30 to 35%, Hosts are also having the Same DNS configured but they are not facing any issue.
I'd try applying the current recommended JHF for R80.40.
If you're still having issues, a TAC case is probably warranted.
Are the hosts behind the gateways using the same DNS server(s) as the gateways?
I had a scenario once where the DNS servers were not the same and with load balanced public servers different DNS servers would return different results for the same FQDN.
once I configured my gateways to use the same DNS servers as the hosts behind them the FQDN’s resolved to the same IP and the intended rule was matched every time.
@Mike_Jensen Well, How this can be possible in the Global Infra, as these gateways are in the AWS DC, and users globally are coming to the Central DC, we can not have a central DNS for all the global Users, and the user who are having the Similar DNS as gateway also face this issue.
@PhoneBoy can you please share any link or SK for the JHF.
Thanks @PhoneBoy for the suggestion, we have performed the same thing on our firewalls, moved firewall from Take 119 JHF to 180 JHF, but problem still persists, looking for more guidance.
Recommend engaging with the TAC to troubleshoot.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
16 | |
11 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 | |
3 | |
3 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY