Technical Tip: DCERPC session-helper not creating expectation sessions when using 'Packet privacy'
| Description | This article describes how FortiGate DCEPRC session helper handles DCERPC data connection when the connection is using 'Packet privacy'. |
| Scope | All FortiOS versions. |
| Solution | In the DCERPC stream across FortiGate, if the 'remoteCreateInstance' request and response are using 'Auth level: Packet privacy', the DCERPC session-helper would not able to read this encrypted payload for the data ports.
This is the expected behavior.
Hence, in this case, the DCERPC session helper cannot create an expectation session for the data connection (high ports). This traffic might be dropped if no firewall policy is present affecting the connection or matches an unexpected Firewall policy.
Due to this, a policy needs to be added on FortiGate to allow TCP/49152-65535 to allow the data connection (DCERPC high ports).
For added security, one may also include an application profile within the policy, permitting only RPC applications.
Authentication level constants are described in the link below: |