"Firewall - Domain resolving error. Check DNS configuration on the gateway." log for blocked HTTP traffic although relevant Domain Object was configured

Support Center > Search Results > SecureKnowledge Details

"Firewall - Domain resolving error. Check DNS configuration on the gateway." log for blocked HTTP traffic although relevant Domain Object was configured

Technical Level

Solution ID	sk120558
Technical Level
Product	Quantum Security Gateways
Version	R80.10 (EOL), R80.20SP
OS	Gaia
Platform / Model	All
Date Created	02-Oct-2017
Last Modified	27-Jan-2021

Symptoms

After configuring a Domain Object (e.g., for akamaitechnologies.com) in a rule and installing the Access Policy, the HTTP traffic to that domain is blocked with the following log in SmartConsole:

Product Family	Access
Type	Connection
Service	http (TCP/80)
Action	Block
Action Reason	Blocking request as configured in engine settings of Firewall
Reason	Firewall - Domain resolving error. Check DNS configuration on the gateway.
Description	http Traffic Blocked from XXX to YYY

Example:

Kernel debug on Security Gateway (*) shows:

[SID: ...] {global} rad_kernel_dns_reverse_cache_get: dns cache ... look for IP '...'; [SID: ...] {global} rad_kernel_dns_reverse_cache_get: dns_health_check_state = 0; [SID: ...] {global} rad_kernel_dns_reverse_cache_get: dns_health_check_state is not OK. return.; [SID: ...] {global} dns_reverse_prepare_resolve_state_response: Inside; [SID: ...] {global} dns_reverse_prepare_resolve_state_response: health check state is NOK; [SID: ...] {connection} network_classifiers_domain_handle_fail_action: health-check failed OR no response for IP lookups OR threshold enabled for domains trap failure, fail-action is: 0;

(*) As the kernel debug command can stop the Security Gateway in rare circumstances, please advise Check Point support for the debug commands.
nslookup on Security Gateway for checkpoint.com works correctly.

Cause

Internal failure in DNS health check state of Domain Objects.

Also check DNS lookups are not blocked by policy or external factors. This will give the same symptoms and error messages in the logs, where dynamic objects are defined in the policy.

In Scalable Platform/Maestro (R80.20SP and higher), DNS response may be dropped on the cleanup rule which cause the same symptom.

Solution

Note: To view this solution you need to Sign In .