AnsweredAssumed Answered

How do I get all Source IP's to resolve in SmartLog?

Question asked by Chris Butler on Aug 1, 2018
Latest reply on Aug 2, 2018 by ccse89f54c70-508c-400f-9477-dd8648799b1e

Only some external IP addresses are resolving to FQDN hostnames.

Resolve is checked

Right Clicking on a source IP which does not resolve in the SmartLog GUI and selecting NSLOOKUP resolves to a FQDN at the command line.

 

I need to troubleshoot email connectivity problems.

This configuration predates my tenure with my company, but we have a backup MX which channels all emails destined for our on-premise Exchange server to a service which redirects them to a single gmail mailbox as a failover.

This is a great idea in theory, but it seems that there are random momentary conditions each day that make emails end up there and the resultant manual forwarding process to get them to the right recipient in our Exchange org is a PITA, especially since I am the only IT/AV/Telecom pro here. And if I am in the middle of something that demands my full attention, there can be delays before I get to forward them.

 

Anyway, my research into just how (legitimate, non-spammer) sending mail servers handle MX preference tells me that it could be an inability to reach the server to open a socket (temporary glitch in our FIOS connection or along the route that would translate as a single timeout in a continuous ping -t) that triggers an instant switch to the backup MX with the lower priority, or it could be a connection to our mail server that ends abnormally or prematurely, and it could involve a delayed retry to the backup MX, etc. The RFC is not very specific, so there are differences in how each mail server type (Postfix, SendMail, Exchange, etct) handles things by default. Futher how each is configured.

 

One of the email addresses that seems to be problematic is based out of outlook.com. I need to be able to search on a wildcard by src: *.outlook.com because I would imagine there are a multitude of server IPs that might be doing load balancing for sending from outlook.com.

 

With major projects going on that must be completed this fiscal year, I have not had the time to RTFM as exhaustively as I did with the previous versions of CheckPoint. I had things down with 77.30 and could find things rather easily in these cases. I have not had time to fully digest all the documentation for 80.10 like I did with 77.30 yet, so I need some help here if anyone could point me in the right direction.

 

Thanks.

Outcomes