Skip to main content
hklb
hklb
Visitor III
April 18, 2015
Solved

specify UUID in service for RPC service

  • April 18, 2015
  • 5 replies
  • 15671 views

Hi,

 

I will migrate a juniper to a fortigate, but my customer use some of default service MS-XXX on his juniper (the definition of these services are here : http://kb.juniper.net/InfoCenter/index?page=content&id=KB12057

 

Is that possible to define the UUID on service on fortigate ? I didn't found this informations at the moment..

 

Thanks!

 

Lucas

    Best answer by Christopher_McMullan

    You can't specify a UUID as a policy-level service, but you can filter for it as an application signature. I worked on just such a case around a year ago.

     

    Add the MS.RPC.UUID signature within an Application Control sensor.

     

    In OS 5.0, you could enter the UUIDs in the GUI after adding the MS.RPC.UUID signature to a sensor. It looks as if, in 5.2, you need to do it through the CLI. I think from memory there was a scroll limit or UUID limit in the GUI anyway, so best still to use the CLI, whatever version you're running.

     

    Here's an example of what the sensor would look like:

    config application list  edit "RPC_TEST"  set other-application-action block  set unknown-application-action block  config entries  edit 1  set action pass  set application 152305667  config parameters  edit 1  set value "833E4200-AFF7-4AC3-AAC2-9F24C1457BCE"  next  end  next  edit 2  set action pass  set application 152305667  config parameters  edit 1  set value "833E4100-AFF7-4AC3-AAC2-9F24C1457BCE"  next  end  next  edit 3  set action pass  set application 152305667  config parameters  edit 1  set value "833E41AA-AFF7-4AC3-AAC2-9F24C1457BCE"  next  end  next  edit 4  set action pass  set application 152305667  config parameters  edit 1  set value "F120A684-B926-447F-9DF4-C966CB785648"  next  end  next  end  next  end  end 

     

    So, after defining the application ID, the 'config parameters' option becomes available to you as another sub-area. You would create an ID for each entry, and enclose the UUID that you are looking for within quotes.

     

    If you don't know ahead of time which UUIDs are being used, but you still want to specify them, capture the relevant traffic in Wireshark. You're looking for the Abstract Syntax field within the RPC PDU. If you filter the output for 'dcerpc.cn_bind_to_uuid', you will get a list of the UUIDs to add to the signature in the sensor.

     

    That was a fun case to work on! It *is* possible, but obviously, the signatures have to remain static, and finding them (and/or changing them after defining the initial values) can be a pain.

    5 replies

    emnoc
    emnoc
    New Member
    April 18, 2015

    I never heard of the means to set uuid per service , but per fwpolicies manual or automatically

    hklb
    hklbAuthor
    Visitor III
    April 19, 2015

    Hi,

     

    The uuid specified in firewall rules is used by fortimanager or fortianalyzer ( http://docs-legacy.fortinet.com/fmgr/50hlp/FMG_507_Online_Help/200_What's-New.03.07.html )

     

    The UUID for MS RPC service is to identify the RPC service (like RPC netlogon has the uuid 12345678-1234-abcd-ef00-01234567cffb). like this, we are able to restrict the access to specifc RPC service. The RCP service use dynamic port, so if we need to allow user to do a netlogon on DC, we are forced to open all port.. So it's not a good thing.

     

    More information about RPC :

    http://techjambu.blogspot.co.uk/2012/03/rpc-over-firewall.html

    https://technet.microsoft.com/en-us/library/cc738291(v=ws.10).aspx

    https://books.google.co.uk/books?id=6ncmPL8VyX8C&pg=PA213&lpg=PA213&dq=rpc+uuid+microsoft&source=bl&ots=GfyUMZFgho&sig=jHU0IgVYoYqNWPmtqW2sLn0eQk4&hl=fr&sa=X&ei=MvQzVb6FDMrCywOd0ICYDg&ved=0CG0Q6AEwCQ#v=onepage&q=rpc%20uuid%20microsoft&f=false

     

     

    Lucas

     

    Christopher_McMullan
    Staff
    Christopher_McMullanAnswer
    Staff
    April 20, 2015

    You can't specify a UUID as a policy-level service, but you can filter for it as an application signature. I worked on just such a case around a year ago.

     

    Add the MS.RPC.UUID signature within an Application Control sensor.

     

    In OS 5.0, you could enter the UUIDs in the GUI after adding the MS.RPC.UUID signature to a sensor. It looks as if, in 5.2, you need to do it through the CLI. I think from memory there was a scroll limit or UUID limit in the GUI anyway, so best still to use the CLI, whatever version you're running.

     

    Here's an example of what the sensor would look like:

    config application list  edit "RPC_TEST"  set other-application-action block  set unknown-application-action block  config entries  edit 1  set action pass  set application 152305667  config parameters  edit 1  set value "833E4200-AFF7-4AC3-AAC2-9F24C1457BCE"  next  end  next  edit 2  set action pass  set application 152305667  config parameters  edit 1  set value "833E4100-AFF7-4AC3-AAC2-9F24C1457BCE"  next  end  next  edit 3  set action pass  set application 152305667  config parameters  edit 1  set value "833E41AA-AFF7-4AC3-AAC2-9F24C1457BCE"  next  end  next  edit 4  set action pass  set application 152305667  config parameters  edit 1  set value "F120A684-B926-447F-9DF4-C966CB785648"  next  end  next  end  next  end  end 

     

    So, after defining the application ID, the 'config parameters' option becomes available to you as another sub-area. You would create an ID for each entry, and enclose the UUID that you are looking for within quotes.

     

    If you don't know ahead of time which UUIDs are being used, but you still want to specify them, capture the relevant traffic in Wireshark. You're looking for the Abstract Syntax field within the RPC PDU. If you filter the output for 'dcerpc.cn_bind_to_uuid', you will get a list of the UUIDs to add to the signature in the sensor.

     

    That was a fun case to work on! It *is* possible, but obviously, the signatures have to remain static, and finding them (and/or changing them after defining the initial values) can be a pain.

    anuragverma
    Staff
    anuragverma
    Staff
    November 25, 2021

    how this sensor will be in use for traffic?

    Will this be applied in firewall policy in application control security profile and that's it?

    hklb
    hklbAuthor
    Visitor III
    April 20, 2015

    Hi,

     

    Thanks for your reply. This is exactly what I need

     

    My customer has a standard support license without UTM.. Is the custom signature will work without app control license ?

     

    Thanks !

     

    Lucas

    Christopher_McMullan
    Staff
    Christopher_McMullan
    Staff
    April 20, 2015

    Lucas,

     

    It depends if the signature was present in the Application Control database that came with the firmware by default. If the DB is an empty container, or only came afterwards, then it's a no-go.

     

    Otherwise, as long as it's there initially, it should always work.

    Terms & ConditionsAccessibility statement