HTTP/HTTPS connections that should be accepted on a rule with 'Domain Object', do not pass through the Security Gateway

SUPPORT CENTER
USER CENTER / PARTNER MAP
CYBER TALK FOR EXECUTIVES
THREAT INTELLIGENCE
UNDER ATTACK?
- We can help. Learn more about ThreatCloud Incident Response
RISK ASSESSMENT
MY ACCOUNT
- Phone
  
  General
  United States 1-800-429-4391
  International +972-3-753-4555
  
  Support
  24x7 Technical Support
  Americas: 1-972-444-6600
  International: +972-3-6115100
  Toll Free: 1-888-361-5030
- Locations
  
  United States
  Check Point Software Technologies Inc.
  959 Skyway Road
  Suite 300
  San Carlos, CA 94070
  MAP
  
  International
  Check Point Software Technologies Ltd.
  5 Ha'Solelim Street
  Tel Aviv 67897, Israel
  MAP
- Community
  CheckMates User Community
  Blog
- Chinese
- Japanese
- Russian

Support Center > Search Results > SecureKnowledge Details

Solution ID	sk110687
Product	Security Gateway, ClusterXL, Cluster - 3rd party, VSX
Version	R77.10, R77.20, R77.30
Date Created	24-Mar-2016
Last Modified	13-Jun-2018

Symptoms

HTTP/HTTPS connections that should be accepted on a rule with 'Domain Object', do not pass through the Security Gateway.
Kernel debug (' fw ctl debug -m fw + drop ') shows:
fw_log_drop_ex: Packet proto=6 ... dropped by fw_runfilter_ex Reason: F_INDOM;

Cause

The F_INDOM drop is a symptom for delay in the DNS reply when Domain Objects are configured in the Security policy.

Solution

Note: To view this solution you need to Sign In .

THREAT INTELLIGENCE