Hi All,

Have a good day.

I faced some issues with traffic DNS being dropped by the security gateway and the result command fw ctl zdebug + drop is shown there is a lot of traffic DNS being dropped.

;[cpu_27];[fw4_8];fw_log_drop_ex: Packet Protocol=17 10.10.10.1:57421      172.16.10.1:53 dropped by fwpslglue_chain Reason: PSL Drop: ASPII_MT; ( the IP address is not real, because this is production environment )

I have already checked on the community on this link https://community.checkpoint.com/t5/General-Topics/Duplicate-services-which-will-be-used/m-p/53484

And I aware that's is about duplicate service on the security gateway will make error compliant.

But I think in my case it's different with duplicate service because on the policy I just see the DNS group with the default configuration and there is no other service with the same port used.

I also tried to check SK from the checkpoint and I got sk81320

I try to read and I think this task will consume time for me to follow it.

I am interested in the last resolution which is app control is blocked traffic organized.

here is the final resolution from that SK:

DNS must be allowed through the Application Control / URL Filtering release. Otherwise, it will be matched as "recognized" and dropped according to the rulebase.

Add a rule above the block rule with "Application/Sites" set to DNS Protocol, and "Action" set to "Allow".

since my customer requested to make downtime more shortly, I decided to disable AppControl and URL Filtering Blade.

and after that, the traffic is normal again, and when I check with fw ctl zdebug + drop it only shows some traffic is dropped by rule explicit or cleanup rule.

Does those anyone know about this behavior? 

there is only one point I suspect about this case:

1. We now use second management and this management is not connected to the internet, and because that management is not able to update package AppControl and URL filtering.

We currently use R80.10 Take JHF 154 

Thanks, Regards

Dio Aditya P