fw ctl zdebug drop is showing this:
fwpslglue_chain Reason: PSL Drop: HTTP_DISPATCHER;
I have no idea what HTTP_DISPATCHER is, just that its being dropped by the Passive Streaming Layer.
Any ideas on what is causing these drops?
Lots of things use PSL: App Control, IPS, Anti-Bot, and Anti-Malware among them.
The actual error messages might be helpful, but I suspect a TAC case might be in order.
I think there is an TCP service protocol type problem after updating to R80.10/R80.20. I already had problems with supported protocol types after the update.
Database contains services with an unsupported protocol type. For a list of supported protocols, please refer to sk103595" error during upgrade to R80 / R80.10 / R80.20.
The following protocol types are supported in services in R80 / R80.10 / R80.20 versions:
- Disable the HTTP_DISPATCHER protocol type. However, this has an impact on the http security of the TCP service and IPS.
- Then I would open a TAC case as described from Dameon.
Look at this SK:
"Database contains services with an unsupported protocol type. For a list of supported protocols, please refer to sk1035…
What is PSL?
PSL is an infrastructure layer, which provides stream reassembly for TCP connections. - The gateway makes sure that TCP data seen by the destination system is the same as seen by code above PSL. - This layer handles packet reordering, congestion handling and is responsible for various security aspects of the TCP layer such as handling payload overlaps, some DoS attacks and others. - The PSL layer is capable of receiving packets from the firewall chain and from SecureXL module. - The PSL layer serves as a middleman between the various security applications and the network packets. It provides the applications with a coherent stream of data to work with, free of various network problems or attacks - The PSL infrastructure is wrapped with well defined APIs called the Unified Streaming APIs which are used by the applications to register and access streamed data
You can find more informations to PSL in my articles:
R80.x Security Gateway Architecture (Content Inspection)
R80.x Security Gateway Architecture (Logical Packet Flow)
I had considered this possibility (FYI) but I think HTTP_DISPATCHER is used in a few other contexts independent of a service definition.
Again, the actual messages from zdebug might provide some additional insight.
These are the actual error logs (replaced src and dst ip address with XXXX and YYYY):
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 X.X.X.X:50421 -> Y.Y.Y.Y:8081 dropped by fwpslglue_chain Reason: PSL Drop: HTTP_DISPATCHER;;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 X.X.X.X:50421 -> Y.Y.Y.Y:8081 dropped by fwpslglue_chain Reason: PSL Drop: HTTP_DISPATCHER;
Please send a screenshot of your TCP service for port 8081.
Should look something like this:
I am also getting the exact same error for HTTPS traffic as well.
;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 X.X.X.X:49297 -> Y.Y.Y.Y:443 dropped by fwpslglue_chain Reason: PSL Drop: HTTP_DISPATCHER;
I have also tried increasing the PSL buffer as per SK102455
# fw ctl get int psl_max_stream_segmentspsl_max_stream_segments = 32772# fw ctl get int psl_max_strip_windowpsl_max_strip_window = 16780216
Then it's probably an IPS or App Control signature that's triggering.
You can try updating to the latest IPS and App Control signatures and see if the issue goes away.
Otherwise, you should probably open a TAC case.
Retrieving data ...