Hi there,
Under Smart Defense, in the DNS section, you need to "turn OFF" DNS udp
enforcement. Re-push the policy and I think it will work.
cisco4ng
Information Technology <it AT KARENITA DOT DE> wrote:
Hi,
i set MS-RPC in Smart Defence to log only. Now we have connections that
are only logged (monitored) but other connections will also be rejected
by CP. Sometimes we get an alert or we get an alert and a reject together.
Number: 71519
Date: 20Jun2006
Time: 9:56:01
Product: SmartDefense
Origin: fw(192.168.1.1)
Type: Alert
Action:
Service: 135
Source: ServerA (192.168.10.10)
Destination: ServerB (172.16.20.20)
Attack Name: DCE-RPC Enforcement Violation
Information: Total logs: 6
Suppressed logs: 5
Attack Information: Source IP in port command is different than the
Server IP
Number: 71597
Date: 20Jun2006
Time: 9:56:15
Product: SmartDefense
Interface: eth-s1p2c0
Origin: fw(192.168.1.1)
Type: Alert
Action: Reject
Service: epmap-135 (135)
Source: ServerA (192.168.10.10)
Destination: ServerB (172.16.20.20)
Protocol: tcp
Source Port: 2255
Attack Name: DCE-RPC Enforcement Violation
Attack Information: Source IP in port command is different than the
Server IP
Is it possible to deactivate this check in one of the $FWDIR/lib/*.def
files?
moelljoe
Verweyen, Dirk wrote:
> Hi,
>
> i think that´s a problem with SmartDefense. Look
> into the Configuration and try some settings.
>
> Regards, Dirk
>
>> -----Ursprüngliche Nachricht-----
>> Von: Information Technology
>> Gesendet: Dienstag, 20. Juni 2006 12:58
>> An: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>> Betreff: [FW-1] CP VPN-1/FW-1 R60 HFA03 - DCE-RPC --> Source IP commad
>>
>> Hello,
>>
>> last week, we upgrade from CheckPoint NG R55 to CheckPoint
>> NG-X R60 HFA03. Now we have problems with the microsoft
>> domain controler communication.
>>
>> If the server A in our dmz to try to connect server B (domain
>> controler) we got often this alert:
>>
>> Number: 192944
>> Date: 19Jun2006
>> Time: 16:35:13
>> Product: SmartDefense
>> Interface: eth-s1p2c0
>> Origin: fw (192.168.1.1)
>> Type: Alert
>> Action: Reject
>> Protocol: tcp
>> Service: epmap-135 (135)
>> Source: serverA (192.168.10.10)
>> Destination: serverB (172.16.20.20)
>> Source Port: 4740
>> Attack Name: DCE-RPC Enforcement Violation Attack
>> Information: Source IP in port command is different than the Server IP
>>
>>
>> Is there anybody who get this error message too??
>> Is there anybody who know, how we can disable this check in
>> smart defense?
>>
>> moelljoe
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
How low will we go? Check out Yahoo! Messenger?s low PC-to-Phone call rates.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
