The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
"Firewall - Domain resolving error. Check DNS configuration on the gateway." log for blocked HTTP traffic although relevant Domain Object was configured
Technical Level
Solution ID
sk120558
Technical Level
Product
Security Gateway
Version
R80.10, R80.20SP
OS
Gaia
Platform / Model
All
Date Created
02-Oct-2017
Last Modified
26-Oct-2020
Symptoms
After configuring a Domain Object (e.g., for akamaitechnologies.com) in a rule and installing the Access Policy, the HTTP traffic to that domain is blocked with the following log in SmartConsole:
Product Family
Access
Type
Connection
Service
http (TCP/80)
Action
Block
Action Reason
Blocking request as configured in engine settings of Firewall
Reason
Firewall - Domain resolving error. Check DNS configuration on the gateway.
Description
http Traffic Blocked from XXX to YYY
Example:
Kernel debug on Security Gateway (*) shows:
[SID: ...] {global} rad_kernel_dns_reverse_cache_get: dns cache ... look for IP '...';
[SID: ...] {global} rad_kernel_dns_reverse_cache_get: dns_health_check_state = 0;
[SID: ...] {global} rad_kernel_dns_reverse_cache_get: dns_health_check_state is not OK. return.;
[SID: ...] {global} dns_reverse_prepare_resolve_state_response: Inside;
[SID: ...] {global} dns_reverse_prepare_resolve_state_response: health check state is NOK;
[SID: ...] {connection} network_classifiers_domain_handle_fail_action: health-check failed OR no response for IP lookups OR threshold enabled for domains trap failure, fail-action is: 0;
(*) As the kernel debug command can stop the Security Gateway in rare circumstances, please advise Check Point support for the debug commands.
nslookup on Security Gateway for checkpoint.com works correctly.
Cause
Internal failure in DNS health check state of Domain Objects.
Also check DNS lookups are not blocked by policy or external factors. This will give the same symptoms and error messages in the logs, where dynamic objects are defined in the policy.
