Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ereddy
Staff
Staff

Created on ‎11-23-2020 03:07 AM Edited on ‎12-05-2024 05:04 AM By Staff

Article Id 198374

Technical Tip: DCE-RPC session helper

Description


This article describes how to understand the logs for the RPC session helper's behavior.

Solution


Below is the scenario explained with logs on FortiGate.

Go to User -> FortiGate -> Destination Server.

In the following logs, note that the user generated traffic from 172.16.29.2 to 10.96.11.11 on port number tcp-135. However, the application will auto-trigger traffic on port 49153, which is not allowed in FortiGate's IPV4 policies.
Due to the RPC session helpers, this traffic is still allowed on FortiGate.

Remember this is not a threat or a vulnerability in FortiGate. This behavior is due to the session helpers on FortiGate.

 

To establish the connection, a new dce-rpc (port 135) session needs to be established. The new session _must_ match a firewall policy, e.g. new policy id x, and hence all its expect sessions will copy this new policy_id. A newly created regular session, either dce-rpc or icmp or other protocols, must match a forwarding policy, and its policy_id value indicates the policy it matches. However, if the traffic hits an expect session, it does not mean that the traffic really matches the firewall policy. Traffic hitting an expect session does not need a corresponding firewall policy, which is what session helpers are used for.

Below is the session output where the highlighted will give the session helper output.

 

session info: proto=6 proto_state=01 duration=128 expire=3471 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=dcerpc vlan_cos=0/255
state=dirty may_dirty npu synced netflow-origin netflow-reply
statistic(bytes/packets/allow_err): org=540/5/1 reply=412/3/1 tuples=2
tx speed(Bps/kbps): 4/0 rx speed(Bps/kbps): 3/0
orgin->sink: org pre->post, reply pre->post dev=0->0/0->0 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 172.16.29.2:57417->10.96.11.11:135(0.0.0.0:0)
hook=post dir=reply act=noop 10.96.11.11:135->172.16.29.2:57417(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=111215 auth_info=0 chk_client_info=0 vd=0
serial=9456477d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
dd_type=0 dd_mode=0
npu_state=0x100000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: helper

 

Debug logs:

 

d=20085 trace_id=23240 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=6, 172.16.29.2:57547->10.96.11.11:135) from port29. flag [R.], seq 3618945556, ack 2876867627, win 0"
id=20085 trace_id=23240 func=resolve_ip_tuple_fast line=5581 msg="Find an existing session, id-94b7eef1, original direction"
id=20085 trace_id=23240 func=vf_ip_route_input_common line=2596 msg="find a route: flag=00000000 gw-10.96.48.10 via MPLS"
id=20085 trace_id=23240 func=__ip_session_run_tuple line=3337 msg="run helper-dcerpc(dir=original)"
id=20085 trace_id=23241 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=6, 172.16.29.2:57549->10.96.11.11:49153) from port29. flag [R.], seq 4191289627, ack 3468054008, win 0"
id=20085 trace_id=23241 func=resolve_ip_tuple_fast line=5581 msg="Find an existing session, id-94b7eef1, original direction"
id=20085 trace_id=23241 func=vf_ip_route_input_common line=2596 msg="find a route: flag=00000000 gw-10.96.48.10 via MPLS"
id=20085 trace_id=23241 func=npu_handle_session44 line=1139 msg="Trying to offloading session from port29 to MPLS, skb.npu_flag=00000000 ses.state=04010000 ses.npu_state=0x00000c00"
id=20085 trace_id=23241 func=fw_forward_dirty_handler line=449 msg="state=04010000, state2=00000300, npu_state=00000c00"
id=20085 trace_id=23242 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=6, 172.16.29.2:57548->10.96.11.11:49153) from port29. flag [R.], seq 2785919818, ack 1916478726, win 0"
id=20085 trace_id=23242 func=resolve_ip_tuple_fast line=5581 msg="Find an existing session, id-94b7eef1, original direction"
id=20085 trace_id=23242 func=vf_ip_route_input_common line=2596 msg="find a route: flag=00000000 gw-10.96.48.10 via MPLS"
id=20085 trace_id=23242 func=npu_handle_session44 line=1139 msg="Trying to offloading session from port29 to MPLS, skb.npu_flag=00000000 ses.state=04010000 ses.npu_state=0x00000c00"
id=20085 trace_id=23242 func=fw_forward_dirty_handler line=449 msg="state=04010000, state2=00000300, npu_state=00000c00"

 

To make sure that the firewall policy controls all the traffic between the source and destination hosts, including the traffic matching the 'master session' and 'expect session', the DCE-RPC helper should be deleted, and the service should be appropriately configured in the corresponding firewall policy.

It's not a workaround because expectation sessions are designed to be not controlled by firewall policies.

 

  • To remove DCE-RPC session helper

show system session-helper <- verify the session helper for dcerpc.

 edit 17
    set name dcerpc
    set protocol 6
    set port 135
next
edit 18
    set name dcerpc
    set protocol 17
    set port 135
next 

config system session-helper

delete 17

delete 18

 end

 

 

Below is another 'debug flow' example with the session helper enabled (default settings). Pay attention to session ID 3181f705.

 

trace_id=233123 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.50.50:62793->10.10.10.10:135) tun_id=0.0.0.0 from port1. flag [S], seq 4239038725, ack 0, win 64240"

trace_id=233123 func=init_ip_session_common line=6009 msg="allocate a new session-3181f705, tun_id=0.0.0.0"

...

trace_id=233123 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-10.10.10.10 via port2"

trace_id=233123 func=iprope_fwd_check line=766 msg="in-[port1], out-[port2], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"

trace_id=233123 func=__iprope_tree_check line=539 msg="gnum-100004, use addr/intf hash, len=8"

...

trace_id=233123 func=__iprope_check_one_policy line=2025 msg="checked gnum-100004 policy-586, ret-no-match, act-accept"

trace_id=233123 func=__iprope_check_one_policy line=2025 msg="checked gnum-100004 policy-585, ret-matched, act-accept"

...

trace_id=233123 func=fw_forward_handler line=979 msg="Allowed by Policy-585:"

trace_id=233123 func=__ip_session_run_tuple line=3460 msg="run helper-dcerpc(dir=original)"  <--- Runs the helper that creates expectation session.

trace_id=233124 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 10.10.10.10:135->192.168.50.50:62793) tun_id=0.0.0.0 from port2. flag [S.], seq 769491140, ack 4239038726, win 8192"

trace_id=233124 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-3181f705, reply direction"

trace_id=233124 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.49.2.1 via port1"

trace_id=233124 func=fw_forward_dirty_handler line=437 msg="state=00000204, state2=00000001, npu_state=00000101"

trace_id=233124 func=__ip_session_run_tuple line=3460 msg="run helper-dcerpc(dir=reply)"

...

trace_id=233130 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.50.50:62795->10.10.10.10:49671) tun_id=0.0.0.0 from port1. flag [S], seq 563688588, ack 0, win 64240" <--- New set of source and destination ports. 

trace_id=233130 func=resolve_ip_tuple_fast line=5928 msg="Find an EXP session, id-3181f705." <--- Expectation session being used.

trace_id=233130 func=ipv4_fast_cb line=53 msg="enter fast path"

trace_id=233131 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 10.10.10.10:49671->192.168.50.50:62795) tun_id=0.0.0.0 from port2. flag [S.], seq 1589167161, ack 563688589, win 8192"

trace_id=233131 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-3181f705, reply direction"

trace_id=233132 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.50.50:62795->10.10.10.10:49671) tun_id=0.0.0.0 from port1. flag [.], seq 563688589, ack 1589167162, win 1026"

trace_id=233132 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-3181f705, original direction"

 

 

Related document:
DCE-RPC session helper (dcerpc) - FortiGate handbook

Technical Tip : Session helpers and expectation sessions

Labels:
16051
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.