Firewall still blocking resolved FQDNs

M400 running firmware 12.7

We have a policy that lets about 1500 FQDN entries thru. These are specific entries, no wildcards. We see DNS queries coming from the firewall to our internal DNS server for these entries, and the DNS server's responses to the firewall. Everything looks ok, the response IPs are correct.
However, once in a while, some of these IPs keep getting blocked even though the firewall seems to have resolved the FQDN entries successfully.
Running the same query from System Manager's Diagnostics tool also returns the correct response.
The only way to fix this is rebooting the firewall - then those IPs are no longer blocked.

Adding the actual IPs to the policy directly (instead of fqdn) also fixes the issue.

Is there some kind of limit/threshold? There used to be a limit of 2048 FQDNs, now it's just a warning. We are below that anyway. Any ideas?

Thanks,
Matt

Comments

  • FYI - V12.7.1 is now out. Nothing obvious in the Release Notes related to your problem.

    It appears that the firewall FQDN cache respects the TTL for the domain name, and once the TTL time is reached, the entry probably is deleted from the FQDN cache.
    So perhaps this is related to your issue somehow.

    You can see the FQDN cache via a CLI command or in a support file.

    support.tgz\xxx_support.tar\Fireware_XTM_Support.tgz\Fireware_XTM_Support.tar\support\firewall\fqdnd_cache_dump.txt

    For V12.7.1 note this (however it should work correctly in V12.7):
    FQDN policy diagnostic CLI commands return no results
    https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA16S000000Fx7CSAS&lang=en_US

  • Also, if you are using the HTTPS proxy - client type, there are a whole bunch of FQDNs listed in the WG Content Inspection Exceptions (over 200), many of which are wildcard ones. So you may will see these in the FQDN cache list.

  • Thanks Bruce.

    I was able get the fqdnd_cache_dump.txt file as well as the other fqdn related files from the support tar.

    I checked couple of the blocked entries - they are there now; however, I will check again tomorrow while the ips are being rejected.
    We use short ttl times, and the firewall seems to be contacting the dns server when the ttl expires, so the cache should be refreshed fairly quickly. This whole thing behaves as if the cache is full. I will try to refresh the cache thru CLI, and see if that helps.

    Btw supposedly there is no more 2048 limit, but the dump file only goes up to 2047. That might be sth else  though.

    We dont have https proxy policy on this firewall, but I saw a bunch of Watchguard entries (such as amazon aws) in the fqdn list. Not sure if I can remove them though.

    Anyway I will probably end up opening a ticket.

    Thanks a lot for your help.

  • @agentsmith

    We have a policy that lets about 1500 FQDN entries thru. .... Everything looks ok, the response IPs are correct.
    However, once in a while, some of these IPs keep getting blocked even though the firewall seems to have resolved the FQDN entries successfully.

    And these entries are located in Blocked sites Exceptions also?

Sign In to comment.