Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vikaspathak022
Participant

FQDN Rules are not getting matched and traffic is getting dropped on the Firewall, under Cleanup Rul

Hi Team,

 

We are using Gateway on the AWS, Version is R80.40 and we are facing a Strange issue that, the rules which are created on the Basis of FQDN's are not getting Matched on the firewall, traffic is getting drop  by Clean up rule. We did following.

1. Failover.

2. Reboot both the firewalls.

3. DNS Cache increment of the Firewall.

 

Need expert Guidance on this to proceed further.

 

To mitigate this Situation we are creating IP Based rule and it works fine.

0 Kudos
13 Replies
_Val_
Admin
Admin

Before anything else, check if your FW can resolve those FQDN objects into IPs by names

0 Kudos
the_rock
Champion
Champion

@_Val_ brings up very logical point indeed, If what he says fails, then it would make sense why you have this issue.

Can you run below and see what you get? Below is an example from my lab. This is brand new R81.20 lab, but output would look pretty much the same on any version.

[Expert@quantum_gateway:0]# curl_cli -k google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
[Expert@quantum_gateway:0]#

0 Kudos
Vikaspathak022
Participant

Well Yes its happening from the firewall, Firewall can resolve the domain names, infect, its working in the rules also, but some times we can see drops on the firewall on the cleanup rule and sometimes we can its getting allowed on the rule created for the traffic.

curl_cli -k google.com: What is impact of this, our environment is bit critical and unstable to do such tests, normal nslookup i did and it worked.

 

0 Kudos
_Val_
Admin
Admin

It sounds like you have some performance issues, is this correct? What is the average CPU utilization on the GW?

0 Kudos

Are clients using the same DNS resolution path as the firewalls? My bet is they're not, and the clients are getting different IPs back from DNS.

0 Kudos
Vikaspathak022
Participant

Avg Utilization of the Firewalls are ~ 30 to 35% and clients are also have the same DNS and they are working fine. This issue with the Firewalls also is intermittent.

0 Kudos
Vikaspathak022
Participant

CPU is between 30 to 35%, Hosts are also having the Same DNS configured but they are not facing any issue.

0 Kudos
PhoneBoy
Admin
Admin

I'd try applying the current recommended JHF for R80.40.
If you're still having issues, a TAC case is probably warranted.

Mike_Jensen
Collaborator

Are the hosts behind the gateways using the same DNS server(s) as the gateways?

I had a scenario once where the DNS servers were not the same and with load balanced public servers different DNS servers would return different results for the same FQDN.

once I configured my gateways to use the same DNS servers as the hosts behind them the FQDN’s resolved to the same IP  and the intended rule was matched every time.

Vikaspathak022
Participant

@Mike_Jensen Well, How this can be possible in the Global Infra, as these gateways are in the AWS DC, and users globally are coming to the Central DC, we can not have a central DNS for all the global Users, and the user who are having the Similar DNS as gateway also face this issue.

 

@PhoneBoy can you please share any link or SK for the JHF.

0 Kudos
Vikaspathak022
Participant

Thanks @PhoneBoy for the suggestion, we have performed the same thing on our firewalls, moved firewall from Take 119 JHF to 180 JHF, but problem still persists, looking for more guidance.

0 Kudos
PhoneBoy
Admin
Admin

Recommend engaging with the TAC to troubleshoot.

0 Kudos