Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ereddy
Staff
Staff

Created on ‎11-23-2020 03:07 AM Edited on ‎08-16-2022 04:31 AM By Community Manager

Article Id 198374

Technical Tip: DCE-RPC session helper

Description


This article describes how to understand the logs for RPC session helpers behavior.

Solution


Below the scenario explained with logs on FortiGate.

Go to User -> FortiGate -> Destination Server

As per below logs, notice the user has generated traffic from 172.16.29.2 to 10.96.11.11 on port number tcp-135. However, the application will auto trigger traffic on port 49153, however this port is not allowed in IPV4 policies of FortiGate.
Due to the RPC session helpers this traffic is still allowed on FortiGate.

Remember this is not threat or a vulnerability on FortiGate. This behaviour is due to the session helpers on FortiGate.

 

To establish the connection, a new dce-rpc (port 135) session needs to be established. The new session _must_ match a firewall policy, e.g. new policy id x, and hence all its expect sessions will copy this new policy_id. A newly created regular session, either dce-rpc or icmp or other protocols, must match a forwarding policy, and its policy_id value indicates the policy it matches. However, if the traffic hits an expect session, it does not mean that the traffic really matches the firewall policy. Actually, traffic hitting an expect session does not need a corresponding firewall policy, which is what session helpers are used for.

Below is the session output where the highlighted will give the session helper output.

 

session info: proto=6 proto_state=01 duration=128 expire=3471 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=dcerpc vlan_cos=0/255
state=dirty may_dirty npu synced netflow-origin netflow-reply
statistic(bytes/packets/allow_err): org=540/5/1 reply=412/3/1 tuples=2
tx speed(Bps/kbps): 4/0 rx speed(Bps/kbps): 3/0
orgin->sink: org pre->post, reply pre->post dev=0->0/0->0 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 172.16.29.2:57417->10.96.11.11:135(0.0.0.0:0)
hook=post dir=reply act=noop 10.96.11.11:135->172.16.29.2:57417(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=111215 auth_info=0 chk_client_info=0 vd=0
serial=9456477d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
dd_type=0 dd_mode=0
npu_state=0x100000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: helper

Debug logs.

 

d=20085 trace_id=23240 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=6, 172.16.29.2:57547->10.96.11.11:135) from port29. flag [R.], seq 3618945556, ack 2876867627, win 0"
id=20085 trace_id=23240 func=resolve_ip_tuple_fast line=5581 msg="Find an existing session, id-94b7eef1, original direction"
id=20085 trace_id=23240 func=vf_ip_route_input_common line=2596 msg="find a route: flag=00000000 gw-10.96.48.10 via MPLS"
id=20085 trace_id=23240 func=__ip_session_run_tuple line=3337 msg="run helper-dcerpc(dir=original)"
id=20085 trace_id=23241 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=6, 172.16.29.2:57549->10.96.11.11:49153) from port29. flag [R.], seq 4191289627, ack 3468054008, win 0"
id=20085 trace_id=23241 func=resolve_ip_tuple_fast line=5581 msg="Find an existing session, id-94b7eef1, original direction"
id=20085 trace_id=23241 func=vf_ip_route_input_common line=2596 msg="find a route: flag=00000000 gw-10.96.48.10 via MPLS"
id=20085 trace_id=23241 func=npu_handle_session44 line=1139 msg="Trying to offloading session from port29 to MPLS, skb.npu_flag=00000000 ses.state=04010000 ses.npu_state=0x00000c00"
id=20085 trace_id=23241 func=fw_forward_dirty_handler line=449 msg="state=04010000, state2=00000300, npu_state=00000c00"
id=20085 trace_id=23242 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=6, 172.16.29.2:57548->10.96.11.11:49153) from port29. flag [R.], seq 2785919818, ack 1916478726, win 0"
id=20085 trace_id=23242 func=resolve_ip_tuple_fast line=5581 msg="Find an existing session, id-94b7eef1, original direction"
id=20085 trace_id=23242 func=vf_ip_route_input_common line=2596 msg="find a route: flag=00000000 gw-10.96.48.10 via MPLS"
id=20085 trace_id=23242 func=npu_handle_session44 line=1139 msg="Trying to offloading session from port29 to MPLS, skb.npu_flag=00000000 ses.state=04010000 ses.npu_state=0x00000c00"
id=20085 trace_id=23242 func=fw_forward_dirty_handler line=449 msg="state=04010000, state2=00000300, npu_state=00000c00"

To make in sort that firewall policy controls all the traffic between the source and destination hosts, including the traffic matching the 'master session' and 'expect session', then DCE-RPC helper should be deleted and the service should be appropriately configured in the corresponding firewall policy.

It's not a workaround, because expectation sessions are designed to be not controlled by firewall policies.

 

Related document:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/936905/dce-rpc-session-helper-dcerpc

Labels:
10828
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.