This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michael_Horne
Advisor
‎2022-03-16 05:37 AM

ICMP - "Blocking request as configured in engine settings of Firewall"

Hello All,

We have an issue where traffic between the members of a HA cluster is being blocked with the message: "Blocking request as configured in engine settings of Firewall"

This is only happening on the external interface facing one of the ISPs.

error.png

When searching for the reason I find only references regarding HTTP traffic.

Can anyone help identify  what engine settings we should be checking. Under the "Manage & Settings" and "Blades" I cannot find anything related this. Under "Security Policy" and "Inspection Settings" I also find nothing that seems related.

Most of the references I find are related to the message "Firewall - Domain resolving error. Check DNS configuration on the gateway (0)".  How the DNS is related when we are pining an IP address.  I did check on the concerned gateways and "nslookup" is able to resolve names, and provides a name back when we do the lookup of the IP addresses (source and destination) involved in the ping.

Regards,

Michael

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2022-03-18 09:30 AM

Just to be clear, you are pinging between external interfaces of a cluster member and getting this message?
A full log card would probably be helpful for additional context (redact sensitive information if needed).

0 Kudos
Michael_Horne
Advisor
‎2022-03-21 01:20 AM
In response to PhoneBoy

Hello,

The log entry is: 

icmp.png

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-03-18 11:57 AM

This is controlled by the fail-open/fail-close settings in situations where the inspection engine has an issue.  It is located in two places, not sure which one is relevant since there isn't enough of your log card shown.  You must have "fail-close" set in at least one of these locations:

1) Manage & Settings...Blades...APCL/URLF...Advanced Settings...Fail Mode

2) Manage & Settings...Blades...Threat Prevention...Advanced Settings...Fail Mode

Any kind of DNS error like this dictates checking and diligently testing the DNS servers defined in the Gaia OS of the firewall.  If one or more of them are slow or not responding consistently it can cause various performance-related mayhem with the rad daemon and APCL/URLF, among others.  Make sure *all* DNS servers defined in the Gaia OS respond quickly, not just the first one in the list which is automatically selected by nslookup.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
Michael_Horne
Advisor
‎2022-03-21 01:39 AM
In response to Timothy_Hall

Hello,

I put the redacted log card in another reply. Apologies for missing that. We did check the DNS resolution on the DNS servers and it is working fine. The issue is only occurring on pings between the firewalls on the one interface.

Regards,

 

0 Kudos
Mangesh
Contributor
‎2022-08-04 09:03 AM
In response to Timothy_Hall

Dear Team,

 

We are getting same error for DNs traffic in which the traffic is coming from DNS configured in checkpoint to firewall.

Could you please give the solution on this.

 

Awaiting for your response.

 

Regards,

Mangesh Jadhav

 

0 Kudos
the_rock
Legend
Legend
‎2022-03-18 12:35 PM

I agree with @Timothy_Hall . Those settings are probably your best bet.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top