Re: Traffic DNS is dropped reason PSL Drop : ASPII...

Adity12 · ‎2022-12-27

Hi All,

Have a good day.

I faced some issues with traffic DNS being dropped by the security gateway and the result command fw ctl zdebug + drop is shown there is a lot of traffic DNS being dropped.

;[cpu_27];[fw4_8];fw_log_drop_ex: Packet Protocol=17 10.10.10.1:57421 172.16.10.1:53 dropped by fwpslglue_chain Reason: PSL Drop: ASPII_MT; ( the IP address is not real, because this is production environment )

I have already checked on the community on this link https://community.checkpoint.com/t5/General-Topics/Duplicate-services-which-will-be-used/m-p/53484

And I aware that's is about duplicate service on the security gateway will make error compliant.

But I think in my case it's different with duplicate service because on the policy I just see the DNS group with the default configuration and there is no other service with the same port used.

I also tried to check SK from the checkpoint and I got sk81320

I try to read and I think this task will consume time for me to follow it.

I am interested in the last resolution which is app control is blocked traffic organized.

here is the final resolution from that SK:

DNS must be allowed through the Application Control / URL Filtering release. Otherwise, it will be matched as "recognized" and dropped according to the rulebase.

Add a rule above the block rule with "Application/Sites" set to DNS Protocol, and "Action" set to "Allow".

since my customer requested to make downtime more shortly, I decided to disable AppControl and URL Filtering Blade.

and after that, the traffic is normal again, and when I check with fw ctl zdebug + drop it only shows some traffic is dropped by rule explicit or cleanup rule.

Does those anyone know about this behavior?

there is only one point I suspect about this case:

1. We now use second management and this management is not connected to the internet, and because that management is not able to update package AppControl and URL filtering.

We currently use R80.10 Take JHF 154

Thanks, Regards

Dio Aditya P

Chris_Atkinson · ‎2022-12-27

Note R80.10 JHF T154 is from October 2018

It is End of Support and you should consider upgrading to a supported release.

CCSM R77/R80/ELITE

the_rock · ‎2022-12-27

Chris is correct, your version is totally unsupported, but personally, I think your issue has absolutely nothing to do with version you are running. Here is my suggestion...can you carefully check if that error is related to specific IPS protection? Just to be 100% sure, is it possible for you to disable IPS blade, push policy and see if issue is still there? If not, then we know IPS is the culprit, so that way we could try figure out what protection is causing the actual problem.

Andy

Chris_Atkinson · ‎2022-12-27

The way the above reads disabling AppC improved the situation.

In your Access policy what service object is used to permit DNS traffic (domain-udp) or other?

Does your AppC layer permit DNS traffic using a different object or there isn't a specific rule/entry?

CCSM R77/R80/ELITE

Adity12 · ‎2022-12-27

Hi @Chris_Atkinson and @the_rock

Thanks for your feedback.

Yes, I have already told the customer to upgrade that gateway, but it still has not to get approved.

1. The service object used to permit DNS traffic is only used service DNS TCP/UDP.

2. They use 2 rules: 1 rule for AdmDNS will permit https,ssh,dns, and echo-request to dns server, 1 rule is for source any to dns server and only permit dns service and echo-request.

If my explanation is not clear, please let me know.

Thanks Regards

Dio Aditya Pradana

the_rock · ‎2022-12-27

Its clear, but can you confirm if IPS can be disabled for testing?

Adity12 · ‎2022-12-27

Actually for blade IPS is still enabled but on the security policy, I do uncheck the profile threat prevention for IPS, Anti-Bot, and Anti-Virus.

is it same with the disabled blade? because yesterday I couldn't disable blade IPS, Anti-Bot and Anti-Virus, this will show an error message like this blade is still used so because of that, I uncheck the threat prevention policy.

the_rock · ‎2022-12-27

What happens if you try disable IPS blade? Does it throw an error when trying to save the object?

Adity12 · ‎2022-12-27

if i try to disable 3 blade threat prevention it will throw error and will discard change.

here the capture for error message.

But if I disable only IPS it will not throw error message.

the_rock · ‎2022-12-27

Does the problem go away if you disable IPS and push policy?

Adity12 · ‎2022-12-27

Actually this issue does not appear after I disable AppControl Url Filtering and disable IPS, Anti-Bot, and Anti-Virus from rule threat prevention.

But the status of blade IPS, Anti-Bot, and Anti-Virus is still on but not enabled on the policy firewall intranet.

HeikoAnkenbrand · ‎2023-04-14

See sk81320:

DNS packets are 'dropped by fwpslglue_chain Reason: PSL Drop: ASPII_MT' on Security Gateway

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Are you a member of CheckMates?

Traffic DNS is dropped reason PSL Drop : ASPII_MT;