Who needs SecureXL when you can turn off AntiBot?

This is a weird one that I tracked down, but can’t take credit for fixing.

Our AntiBot and AntiVirus sites were whining about things being slow after we installed firewalls with AB and AV. Well, you know how users whine all the time – who listens to them anyways? So they can’t get to Oprah’s home page, big deal.

Well one site was slow but this one single DNS name would NOT resolve. The request hit the client side of the firewall and never came out the DNS server side….for only this ONE DNS name.

Yeah….weird huh?

In addition, they are in DETECT only mode…so what could go wrong?

Well check out what zdbug says

glue

Paste that into support.checkpoint.com and you get sk81320 which leads you to the “Speed Up DNS” button

slowdns

Turns out AB/AV does reviews of DNS names before releasing the connection. You’ll see the client side nslookups have 2 second timeouts most the time. Have to do ‘background’ reviews and not ‘hold’ the connection. Geez louise.

Problem solved in R77.20 and now this is the default config

Geez I hate those random problems.

Thanks Todd! for finding this,

dreez

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • Steve  On January 20, 2015 at 8:17 pm

    That setting is also recommended in sk98348 – Best Practices – Security Gateway Performance.

    3-11) Best practices – Anti-Virus & Anti-Bot optimization

    Advanced – Engine Settings:
    Go to “Check Point Online Web Service” section.
    In the “Website categorization mode” section, select “Background” (to prevent latency due to packet holding until categorization is completed).

    • Dreezman  On January 20, 2015 at 8:27 pm

      Yeah obviously after it happens you know about it! Thanks.
      dreez

  • Alex  On January 20, 2015 at 9:12 pm

    Another article on antivirus / antibot SK92224. We actually just ran into this issue. DNS was set to background regardless of the smart dashboard setting.

    • Dreezman  On January 21, 2015 at 8:56 am

      wow. we were in Detect Only mode and still getting Prevent log events. This is not the first time we’ve seen disruption of data stream in Detect mode.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: