This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nzmatto
Participant
‎2021-06-17 05:29 PM

Some DNS Traffic being denied by implied rule

I am running an R80.40 cluster and have noted some DNS traffic being dropped by an implied rule in the logs. I have reviewed the article at: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
however this seems only to extend to R80.20. It is an old (2013) SK though, so may just not include the newer versions. The article recommends increasing the DNS Maximum Request Length and DNS Maximum Reply Length but does not say what they should be increased to.

The issue seems to hit when the query comes from a host on the VPN making a DNS query relating to an external (cloud hosted) service, so if this type of query adds to the overall size of the UDP packet I could see it potentially being related. 

I have 3 questions:

1) If I were to increase those sizes, what should I increase them to?

2) The particular IPS policies relating to these are both disabled. Am I going to need to enable, and permit them in order to get past this default?

3) How can I tell if this is the issue? (How can I see the size of these UDP packets?)

Thanks for any assistance. 
Matt

 

 

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2021-06-17 07:43 PM

This is an Inspection Setting, which is not related to IPS, but the firewall.
It would help to see the log card in question (mask sensitive data).

nzmatto
Participant
‎2021-06-17 08:22 PM

Attached are a couple of screenshots, one from the log file, the other showing the settings as per the SK referenced earlier. The second part (DNS Maximum reply) seems to not even be available to me on R80.40.
Thanks Matt

Preview file
114 KB
Preview file
114 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-17 08:36 PM
In response to nzmatto

It might be better to do something like an fw ctl zdebug drop | grep x.y.z.w to see what the kernel reports as the reason for dropping.

0 Kudos
Tracy_Hazlett
Explorer
‎2021-07-12 12:37 PM
In response to nzmatto

Did you find a solution?  We're seeing something very similar.  Thanks. 

0 Kudos
nzmatto
Participant
‎2021-07-12 12:50 PM
In response to Tracy_Hazlett

Nope, not yet. As I have been digging into the clients network I have found several issues with DNS, yet none of these seem to be impacting the end users. I'm slowly working it all out fixing the issues one at the time. 

0 Kudos
the_rock
Legend
Legend
‎2021-07-12 01:05 PM
In response to nzmatto

Just wondering...did you actually do what phoneboy suggested? run zdebug command when issue is happening, because if its being dropped on clean up rule, that would logically suggest that there is no rule above it allowing the traffic. Now, with R80+ and layers introduced, its possible its explicit layer clean up rule, rather than implicit one at the bottom, but Im not sure what the case in your environment would be.

0 Kudos
nzmatto
Participant
‎2021-07-12 01:28 PM
In response to the_rock

Nope, I never got that far as the VPN issue was proven to be something else. I know there are packets being dropped, but it doesn't seem to be end user impacting, so it's pretty low on the list of priorities. I actually suspect once the client fixes up their DNS issues the dropped traffic will go away. 

0 Kudos
the_rock
Legend
Legend
‎2021-07-12 05:19 PM
In response to nzmatto

I know this may sound like more generic comment, but I had seen few times before depending if you use split vpn or full tunnel, it really does matter what dns server you use. For example, if you use full tunnel, it would make sense to use internal DNS server but if its split tunnel, then if user uses google dns server, that works better. Now, this is not always related to dropped traffic, but just throwing it out there : )

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events