Support Center > Search Results > SecureKnowledge Details
"Firewall - Domain resolving error. Check DNS configuration on the gateway." log for blocked HTTP traffic although relevant Domain Object was configured Technical Level
Symptoms
  • After configuring a Domain Object (e.g., for akamaitechnologies.com) in a rule and installing the Access Policy, the HTTP traffic to that domain is blocked with the following log in SmartConsole:

    Product Family Access
    Type Connection
    Service http (TCP/80)
    Action Block
    Action Reason Blocking request as configured in engine settings of Firewall
    Reason Firewall - Domain resolving error. Check DNS configuration on the gateway.
    Description http Traffic Blocked from XXX to YYY

    Example:

  • Kernel debug on Security Gateway (*) shows:

    [SID: ...] {global} rad_kernel_dns_reverse_cache_get: dns cache ... look for IP '...';
    [SID: ...] {global} rad_kernel_dns_reverse_cache_get: dns_health_check_state = 0;
    [SID: ...] {global} rad_kernel_dns_reverse_cache_get: dns_health_check_state is not OK. return.;
    [SID: ...] {global} dns_reverse_prepare_resolve_state_response: Inside;
    [SID: ...] {global} dns_reverse_prepare_resolve_state_response: health check state is NOK;
    [SID: ...] {connection} network_classifiers_domain_handle_fail_action: health-check failed OR no response for IP lookups OR threshold enabled for domains trap failure, fail-action is: 0;


    (*) As the kernel debug command can stop the Security Gateway in rare circumstances, please advise Check Point support for the debug commands.

  • nslookup on Security Gateway for checkpoint.com works correctly.

Cause

Internal failure in DNS health check state of Domain Objects.

Also check DNS lookups are not blocked by policy or external factors. This will give the same symptoms and error messages in the logs, where dynamic objects are defined in the policy.



Solution
Note: To view this solution you need to Sign In .