Technical Tip: Policy matching of DCERPC traffic
| Description | This articles describes how in FortiOS DCERPC traffic is handled by a session helper which will dynamically open pinholes for the data channel once control channel is established on port 135.
Data channel is established on random UDP ports as configured by the server. |
| Scope | |
| Solution | FortiGate only needs a firewall policy which allows DCERPC service (port 135); for random UDP ports it does not need a firewall policy to allow this traffic since it creates an expect session, part of the session helper’s functionality.
For example.
Normal session for control channel: Client -> server. 192.169.1.24:35997 -> 10.1.1.24:135 = allowed by a firewall policy with service DCERPC or port 135.
Expect session for data channel: 192.169.1.24:45778 -> 10.1.1.24:26345 = implicitly allowed (logs will show it is matching same firewall policy as the parent session, but it is only informational). |