Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Adity12
Collaborator

Traffic DNS is dropped reason PSL Drop : ASPII_MT;

Hi All,

 

Have a good day.

 

I faced some issues with traffic DNS being dropped by the security gateway and the result command fw ctl zdebug + drop is shown there is a lot of traffic DNS being dropped.


;[cpu_27];[fw4_8];fw_log_drop_ex: Packet Protocol=17 10.10.10.1:57421      172.16.10.1:53 dropped by fwpslglue_chain Reason: PSL Drop: ASPII_MT; ( the IP address is not real, because this is production environment )

I have already checked on the community on this link https://community.checkpoint.com/t5/General-Topics/Duplicate-services-which-will-be-used/m-p/53484

And I aware that's is about duplicate service on the security gateway will make error compliant.

But I think in my case it's different with duplicate service because on the policy I just see the DNS group with the default configuration and there is no other service with the same port used.

I also tried to check SK from the checkpoint and I got sk81320

I try to read and I think this task will consume time for me to follow it.

I am interested in the last resolution which is app control is blocked traffic organized.

here is the final resolution from that SK:

DNS must be allowed through the Application Control / URL Filtering release. Otherwise, it will be matched as "recognized" and dropped according to the rulebase.

Add a rule above the block rule with "Application/Sites" set to DNS Protocol, and "Action" set to "Allow".

 

since my customer requested to make downtime more shortly, I decided to disable AppControl and URL Filtering Blade.

and after that, the traffic is normal again, and when I check with fw ctl zdebug + drop it only shows some traffic is dropped by rule explicit or cleanup rule.

 

Does those anyone know about this behavior? 

 

there is only one point I suspect about this case:

1. We now use second management and this management is not connected to the internet, and because that management is not able to update package AppControl and URL filtering.

 

We currently use R80.10 Take JHF 154 

 

 

Thanks, Regards

Dio Aditya P

0 Kudos
11 Replies
Chris_Atkinson
Employee Employee
Employee

Note R80.10 JHF T154 is from October 2018

It is End of Support and you should consider upgrading to a supported release. 

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

Chris is correct, your version is totally unsupported, but personally, I think your issue has absolutely nothing to do with version you are running. Here is my suggestion...can you carefully check if that error is related to specific IPS protection? Just to be 100% sure, is it possible for you to disable IPS blade, push policy and see if issue is still there? If not, then we know IPS is the culprit, so that way we could try figure out what protection is causing the actual problem.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee

The way the above reads disabling AppC improved the situation.

In your Access policy what service object is used to permit DNS traffic (domain-udp) or other?

Does your AppC layer permit DNS traffic using a different object or there isn't a specific rule/entry?

CCSM R77/R80/ELITE
0 Kudos
Adity12
Collaborator

Hi @Chris_Atkinson and @the_rock 

Thanks for your feedback.

Yes, I have already told the customer to upgrade that gateway, but it still has not to get approved.

 

1. The service object used to permit DNS traffic is only used service DNS TCP/UDP.

2. They use 2 rules: 1 rule for AdmDNS will permit https,ssh,dns, and echo-request to dns server,  1 rule is for source any to dns server and only permit dns service and echo-request.

 

If my explanation is not clear, please let me know.

 

Thanks Regards

Dio Aditya Pradana

 

0 Kudos
the_rock
Legend
Legend

Its clear, but can you confirm if IPS can be disabled for testing?

0 Kudos
Adity12
Collaborator

Actually for blade IPS is still enabled but on the security policy, I do uncheck the profile threat prevention for IPS, Anti-Bot, and Anti-Virus.

is it same with the disabled blade? because yesterday I couldn't disable blade IPS, Anti-Bot and Anti-Virus, this will show an error message like this blade is still used so because of that, I uncheck the threat prevention policy.

 

0 Kudos
the_rock
Legend
Legend

What happens if you try disable IPS blade? Does it throw an error when trying to save the object?

0 Kudos
Adity12
Collaborator

if i try to disable 3 blade threat prevention it will throw error and will discard change.

here the capture for error message.

 

But if I disable only IPS it will not throw error message.

0 Kudos
the_rock
Legend
Legend

Does the problem go away if you disable IPS and push policy?

0 Kudos
Adity12
Collaborator

Actually this issue does not appear after I disable AppControl Url Filtering and disable IPS, Anti-Bot, and Anti-Virus from rule threat prevention.

But the status of blade IPS, Anti-Bot, and Anti-Virus is still on but not enabled on the policy firewall intranet.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events