I saw something similar and setting all the ms-rpc settings in SD to
monitor only allowed for the specific uid to pass, logs showed a monitor
log instead of the reject. With r60 we had to do an update to get the
option for monitor only for some of the ms-rpc checks.
-GS
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
cisco4ng
Sent: Sunday, October 29, 2006 10:09 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Urgent help needed. NGx R61 with HFA_01 and Microsoft
DCE-RPC
scenario:
hostA---FWA---Internet---FWB---hostB
FWA is a Cisco Pix version 7.2(1)
FWB is running NGx R61 with HFA_01 running on IPSO 4.1 build 19
hostA is a windows XP Pro. with Service Pack 2 and latest patches
hostB is Windows 2003 Service Pack 1 with latest patches
I have site-to-site VPN between FWA and FWB. VPN is up and running
and everything is allowed through the VPN tunnel.
HostB is an Microsoft AD Controller, let call it nxia. When I tried to
add hostA into domain nxia, I am seeing this in the smartview tracker:
Number: 1917
Date: 29Oct2006
Time: 9:51:16
Product: SmartDefense
Interface: eth3c0
Origin: 10.209.84.36
Type: Log
Action: Reject
Service: gmsRPC-tcp (135)
Source: 198147010097.nxia.com (192.168.1.97)
Destination: h_10.85.84.27 (10.85.84.27)
Protocol: tcp
Source Port: 1257
Attack Name: DCE-RPC Enforcement Violation
Information: DCE-RPC Interface UID:
e3514235-4b06-11d1-ab04-00c04fc2dcd2
Attack Information: UUID is not allowed through the Rule Base
Furthermore, if I add another Microsoft Windows 2003 Enterprise
Server,
hostC, behind FWA, and I tried to make hostC another AD controller of
nxia domain, it fails with the same error that I am getting above.
It seems to me that NGx R61 (even with HFA_01) is having issues with
Microsoft AD to properly across the firewall.
I've been researching Checkpoint Knowledge base and from those SKs, it
seems that Checkpoint has fixed this in HFA_04 or NGx R60 or HFA_01 in
NGx R61. But it is not working for me. The SKs are sk25562, sk31245
and
sk31166. I tried to modify the dcercp.def file but these knowledge
base is for
NG AI or NGx R60 and not R61.
Anyone is running into similar issue like this one and how do you fix
this? thanks.
cisco4ng
---------------------------------
Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call rates.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
