Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Rule 998: DCE-RPC Problems

from James Lee Bell [Permanent Link]
Subject: Re: [FW-1] Rule 998: DCE-RPC Problems
From: James Lee Bell <nuclear-cowboy AT COX DOT NET>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Wed, 23 Jun 2004 09:31:58 -0700 
This got us last night as well when we upgraded from FP2 to AI R55
HFA04. Nokia engineer gave us a specific SK (whose number eludes me),
but to turn off the DCE-RPC smartdefense checking (i.e. "malformed"
dce-rpc checks that dcom with it's semi-random uuid's trips) and make it
act like FP2 regarding DCE-RPC you go into $FWDIR/lib/dcerpc.def and
change the line for "ALLOW_135" from zero to 1, then push.

In our case, doing this allowed the dce-rpc portmapper requests to flow,
but fw-1 still built state table entries based on the port numbers seen
in the rpc response.

Philipp Mueller wrote:

Hi

After an upgraded to R54 we experience the following problems.
Alert Rejects on rule 998, which is this CP specific client-to-server
DCE RPC error.
We followed the solution as discussed under:
http://www.checkpoint.com/securitycenter/advisories/2003/cpai-2003-11.html
which is:
1.) Create specific DCE-RPC rules with you UUID
2.) replace dcerpc.def
3.) modify table.def
4.) restart CP

Unfortunately nothing has changed! We still have the rejects. We
even put now the ALL_DCE_RPC service in the specific rule, but
it still doesn't work!

Now we read in the release notes of R55 that there are several issues
resolved
with the DCE-RPC.

Now our questions:
- How can we turn this SmartDefense stuff off for the DCE-RPC????
- Did we something wrong (see steps above or in the link)????
- Did anyone else experience similar problems???
- If we upgrade to R55 is it enought to upgrade the management server
or do we need to upgrade also all the nodes?????

Any help would be highly appreciated.

Regards
Philippp

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================



=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] VPN-1 Edge device and NG AI R55, Yinal Ozkan
Next by Date:  [FW-1] SUMMARY: Rule 998: DCE-RPC Problems, Philipp Mueller
Previous by Thread:  Re: [FW-1] Rule 998: DCE-RPC Problems, Micha Borrmann
Next by Thread:  [FW-1] changing objects_5_0.c file on FP3, Neil Kemp
Indexes:  [Date] [Thread] [Top] [All Lists]