Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Urgent help needed. NGx R61 with HFA_01 and Microsoft DCE-RPC

from Matthew Odendaal [Permanent Link]
Subject: Re: [FW-1] Urgent help needed. NGx R61 with HFA_01 and Microsoft DCE-RPC
From: Matthew Odendaal <matthew AT ISA.CO DOT ZA>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Tue, 31 Oct 2006 14:39:13 +0200 
This isn't the best solution, but I've had success with it in the past.

Create a normal TCP service 135 and include it in the rule that allows the 
access between the relevant hosts. Usually, this forces a standard TCP match 
and bypasses the SmartDefense settings.

It's not the best solution, since you will lose pretty much all of the inherent 
SmartDefense DCE-RPC checks on port 135, but if you need to get something 
working quickly, it's worth a shot.

Cheers

Matthew Odendaal        
MCSE, CCSI, NSI

Information Security Architects 
Tel:                 +27 11 326 2242
Fax:                 +27 11 326 2285
Mobile:           +27 83 260 3339
matthew AT isa.co DOT za


 
 
-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT 
AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of cisco4ng
Sent: 31 October 2006 02:29 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Urgent help needed. NGx R61 with HFA_01 and Microsoft 
DCE-RPC

Ok.  I applied microsoft solution http://support.microsoft.com/kb/899148 and
  reboot the Windows 2003 Enterprise Server.  When the server came back up, 
  I tried to get my WinXP to join the domain and I am still getting this error:
   
  Number:                 1544
Date:                       30Oct2006
Time:                      9:58:09
Product:                  SmartDefense
Interface:                eth3c0
Origin:                    10.209.84.36
Type:                      Log
Action:                    Reject
Service:                  gmsRPC-tcp (135)
Source:                   198147010097.nixa.com (192.168.1.97)
Destination:            h_10.85.84.27 (10.85.84.27)
Protocol:                 tcp
Source Port:           1085
Attack Name:          DCE-RPC Enforcement Violation
Information:            DCE-RPC Interface UID: 
e3514235-4b06-11d1-ab04-00c04fc2dcd2
Attack Information: UUID is not allowed through the Rule Base
   
  Basically I am still having the same issue.  I disable everything possible in
  SmartDefense but it is still not working.  The weird thing is that if I 
replace this
  NGx R61 firewall with NG with AI R55w running HFA_04, then I have no issue.
  I am under time crunch to roll out NGx R61 and this will delay the launch 
date if
  I can not get this to work.  
   
  any ideas?  Thanks.
   
  cisco4ng


chkp tech <chkptech AT GMAIL DOT COM> wrote:
  I've been at a client site for the past couple weeks, and the infrastructure
team came over to me and had the exact same problem. They asked me to look
at it, and I could see that dcerpc traffic was being dropped.

You can verify this traffic is being dropped by something other than the
rulebase by performing the following command:

fw ctl zdebug drop > debug.drop

Now try to join the machine to the domain or replicate data, to get some
drops, and then open the file. If the packets are being dropped due to the
rule base, the reason will be: rulebase drop.

When Windows 2003 Service Pack 1 machines would try to either join the
domain or replicate AD data across the forest, we would see drops and other
weirdness.

We upgraded the clusters to the latest patches and still saw the problems.

We finally contacted Microsoft for the patch listed in
http://support.microsoft.com/kb/899148 and this resolved the issue. Another
workaround was to pull Service Pack 1 off of the machines, but I don't think
this is a legitimate solution ;)

Jason


On 10/30/06, pkc_mls 
wrote:
>
> cisco4ng a écrit :
> > hi,
> >
> > Thanks for the link. However, when I look under
> > HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\
> > I do not see Rpc subkey. The sk seems to imply that the sub key is
> already
> > there. Furthermore, my windows Enterprise 2003 server is an AD server.
> >
> > Anymore ideas? thanks.
> >
> if you have an access to the secureknoledge, you can search for dcerpc.def
> .
> otherwise, try the same search in the mailing list archive
> (msgs.securepoint.com allows you to search
> through the archives).
> > cisco4ng
> >
> > pkc_mls 
wrote: >
> http://support.microsoft.com/kb/899148/fr
> >
> > remove the /fr for the same infos not in french.
> >
> > (quite hard on monday morning ... )
> >
> >> I never tried this, but I hope this'll work for you.
> >>
> >>> cisco4ng
> >>>
> >>>
> >
> >
> >
> >
> >
> >
> >
> ___________________________________________________________________________
> > Découvrez une nouvelle façon d'obtenir des réponses à toutes vos
> questions !
> > Profitez des connaissances, des opinions et des expériences des
> internautes sur Yahoo! Questions/Réponses
> > http://fr.answers.yahoo.com
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
> >
> >
> > ---------------------------------
> > Low, Low, Low Rates! Check out Yahoo! Messenger's cheap PC-to-Phone
> call rates.
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
> >
>
>
>
>
>
>
>
> ___________________________________________________________________________
> Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions
> !
> Profitez des connaissances, des opinions et des expériences des
> internautes sur Yahoo! Questions/Réponses
> http://fr.answers.yahoo.com
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


        
---------------------------------
Everyone is raving about the  all-new Yahoo! Mail.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] LDAP/Expanded AU Icons -- Anyone know what they mean?, Ansar Mohammed
Next by Date:  Re: [FW-1] Urgent help needed. NGx R61 with HFA_01 and Microsoft DCE-RPC, cisco4ng
Previous by Thread:  [FW-1] LDAP/Expanded AU Icons -- Anyone know what they mean?, Brandon Ramsey
Next by Thread:  Re: [FW-1] Urgent help needed. NGx R61 with HFA_01 and Microsoft DCE-RPC, cisco4ng
Indexes:  [Date] [Thread] [Top] [All Lists]