Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nzmatto
Participant

Some DNS Traffic being denied by implied rule

I am running an R80.40 cluster and have noted some DNS traffic being dropped by an implied rule in the logs. I have reviewed the article at: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
however this seems only to extend to R80.20. It is an old (2013) SK though, so may just not include the newer versions. The article recommends increasing the DNS Maximum Request Length and DNS Maximum Reply Length but does not say what they should be increased to.

The issue seems to hit when the query comes from a host on the VPN making a DNS query relating to an external (cloud hosted) service, so if this type of query adds to the overall size of the UDP packet I could see it potentially being related. 

I have 3 questions:

1) If I were to increase those sizes, what should I increase them to?

2) The particular IPS policies relating to these are both disabled. Am I going to need to enable, and permit them in order to get past this default?

3) How can I tell if this is the issue? (How can I see the size of these UDP packets?)

Thanks for any assistance. 
Matt

 

 

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

This is an Inspection Setting, which is not related to IPS, but the firewall.
It would help to see the log card in question (mask sensitive data).

nzmatto
Participant

Attached are a couple of screenshots, one from the log file, the other showing the settings as per the SK referenced earlier. The second part (DNS Maximum reply) seems to not even be available to me on R80.40.
Thanks Matt

0 Kudos
PhoneBoy
Admin
Admin

It might be better to do something like an fw ctl zdebug drop | grep x.y.z.w to see what the kernel reports as the reason for dropping.

0 Kudos
Tracy_Hazlett
Explorer

Did you find a solution?  We're seeing something very similar.  Thanks. 

0 Kudos
nzmatto
Participant

Nope, not yet. As I have been digging into the clients network I have found several issues with DNS, yet none of these seem to be impacting the end users. I'm slowly working it all out fixing the issues one at the time. 

0 Kudos
the_rock
Champion
Champion

Just wondering...did you actually do what phoneboy suggested? run zdebug command when issue is happening, because if its being dropped on clean up rule, that would logically suggest that there is no rule above it allowing the traffic. Now, with R80+ and layers introduced, its possible its explicit layer clean up rule, rather than implicit one at the bottom, but Im not sure what the case in your environment would be.

0 Kudos
nzmatto
Participant

Nope, I never got that far as the VPN issue was proven to be something else. I know there are packets being dropped, but it doesn't seem to be end user impacting, so it's pretty low on the list of priorities. I actually suspect once the client fixes up their DNS issues the dropped traffic will go away. 

0 Kudos
the_rock
Champion
Champion

I know this may sound like more generic comment, but I had seen few times before depending if you use split vpn or full tunnel, it really does matter what dns server you use. For example, if you use full tunnel, it would make sense to use internal DNS server but if its split tunnel, then if user uses google dns server, that works better. Now, this is not always related to dropped traffic, but just throwing it out there : )

0 Kudos