Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michael_Horne
Advisor

ICMP - "Blocking request as configured in engine settings of Firewall"

Hello All,

We have an issue where traffic between the members of a HA cluster is being blocked with the message: "Blocking request as configured in engine settings of Firewall"

This is only happening on the external interface facing one of the ISPs.

error.png

When searching for the reason I find only references regarding HTTP traffic.

Can anyone help identify  what engine settings we should be checking. Under the "Manage & Settings" and "Blades" I cannot find anything related this. Under "Security Policy" and "Inspection Settings" I also find nothing that seems related.

Most of the references I find are related to the message "Firewall - Domain resolving error. Check DNS configuration on the gateway (0)".  How the DNS is related when we are pining an IP address.  I did check on the concerned gateways and "nslookup" is able to resolve names, and provides a name back when we do the lookup of the IP addresses (source and destination) involved in the ping.

Regards,

Michael

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

Just to be clear, you are pinging between external interfaces of a cluster member and getting this message?
A full log card would probably be helpful for additional context (redact sensitive information if needed).

0 Kudos
Michael_Horne
Advisor

Hello,

The log entry is: 

icmp.png

0 Kudos
Timothy_Hall
Legend Legend
Legend

This is controlled by the fail-open/fail-close settings in situations where the inspection engine has an issue.  It is located in two places, not sure which one is relevant since there isn't enough of your log card shown.  You must have "fail-close" set in at least one of these locations:

1) Manage & Settings...Blades...APCL/URLF...Advanced Settings...Fail Mode

2) Manage & Settings...Blades...Threat Prevention...Advanced Settings...Fail Mode

Any kind of DNS error like this dictates checking and diligently testing the DNS servers defined in the Gaia OS of the firewall.  If one or more of them are slow or not responding consistently it can cause various performance-related mayhem with the rad daemon and APCL/URLF, among others.  Make sure *all* DNS servers defined in the Gaia OS respond quickly, not just the first one in the list which is automatically selected by nslookup.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
Michael_Horne
Advisor

Hello,

I put the redacted log card in another reply. Apologies for missing that. We did check the DNS resolution on the DNS servers and it is working fine. The issue is only occurring on pings between the firewalls on the one interface.

Regards,

 

0 Kudos
Mangesh
Contributor

Dear Team,

 

We are getting same error for DNs traffic in which the traffic is coming from DNS configured in checkpoint to firewall.

Could you please give the solution on this.

 

Awaiting for your response.

 

Regards,

Mangesh Jadhav

 

0 Kudos
the_rock
Legend
Legend

I agree with @Timothy_Hall . Those settings are probably your best bet.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events