This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jbfixurpc_cew
Explorer
‎2019-10-24 06:38 AM

VSX Clustering R80.20 DNS resolving error msg

Greetings!

I am seeing constant Alert error messages in our logs with reason: Firewall - Domain resolving error. Check DNS configuration on the gateway (0) .

Here are the statistics: R80.20, running on VSX, JHF Take 103 applied, 

Initially I thought the issue was being caused by the fact that in VSX the DNS servers for each context are the same (SK152873 - a large oversight if you ask me but) so with some redesign I was able to find 3 common DNS targets that would work in this scenario. Once that was applied, I still am seeing tons of these alert errors.

From the CLI I am able to confirm that all of the VSX contexts resolve DNS using dig/nslookup etc so I am not sure why I would be seeing this behavior 

 
0 Kudos
7 Replies
Ilya_Yusupov
Employee
Employee
‎2019-10-24 09:35 AM

Hi,

 

I guess you are using domain objects, right?

 

0 Kudos
jbfixurpc_cew
Explorer
‎2019-10-24 09:41 AM
In response to Ilya_Yusupov

As a matter of fact, yes, were trying to do that. What I am failing to understand is that from an external resource I can generate DNS traffic to a DNS server behind the cluster, and I see the error appear in that manor, sometimes... It's completely hit or miss which is confusing to say the least, sometimes I see the hits with no alerts, other times with the alert "Firewall - Domain resolving error. Check DNS configuration on the gateway (0)" which makes no sense to ,e.
0 Kudos
Ilya_Yusupov
Employee
Employee
‎2019-10-24 11:34 AM
In response to jbfixurpc_cew

We had such issue in the past which should be solved.

I will check it internaly and will update.

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2019-10-27 03:13 AM
In response to Ilya_Yusupov

Hi,

 

the fix included in on going JHF take 117, if you can move to this take it will be great.

if not i suggest to open a ticket for CP support to ask a port fix.

 

Thanks,

Ilya 

0 Kudos
Khalid_Aftas
Contributor
‎2020-01-15 02:58 AM
In response to Ilya_Yusupov

Hi Ilya,

 

We have same issue on r80.30 HF take 111, can you check internaly if that fix was ported to r80.30 ?

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2020-01-15 03:44 AM
In response to Khalid_Aftas

Hi Khalid,

 

The fix already included in R80.30 GA version so i suggest to open a TAC case and share it with me so i can check with RnD owners.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2020-01-25 04:55 AM

Probably you have resolved it by now but if not make sure that TCP DNS lookups are allowed from your gateway

https://community.checkpoint.com/t5/General-Management-Topics/Domain-Objects-FQDN-An-Unofficial-ATRG...

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events