The Security Gateway inspects incoming packets and decides to accept/drop/reject them. Sometimes, the Security Gateway needs more information (authentication, database updates, etc.).
A hold kernel table mechanism in the Check Point kernel keeps a packet and waits for additional information to arrive. An expiration timer controls how long the Security Gateway waits for the additional information before it deletes the packet.
The drop message "
Reason: held chain expired" shows that the packet was discarded since the additional data did not arrive in time.
The message "
Reason: held chain expired" can be followed by the message "
Reason: Rulebase drop - rule N;", where N is the number of a rule with "
Action" set to "
accept". In this case, the involved rule can contain the Domain Object.
For each packet that is matched by the rule with the Domain Object, the Security Gateway needs to perform a Reverse DNS Query to see if the Source IP address / Destination IP address (depends on how the rule is constructed) matches the Domain Object.
The resolved results are cached, but not indefinitely. Each time the Security Gateway performs this lookup, it has to hold the packet until it gets a reply from the DNS Server.
If the involved rule with Domain Object is located at or near the top of the rulebase, then the Security Gateway could potentially perform a DNS lookup on almost every packet. If the involved rule with Domain Object is located at or near the bottom of the rulebase, the timeout for holding the packet could expire before a reply from the DNS Server arrives.
Though it is possible to adjust the hold timer, Check Point strongly does not recommend this because it addresses only the symptom and not the problem.