Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hklb
Contributor II

specify UUID in service for RPC service

Hi,

 

I will migrate a juniper to a fortigate, but my customer use some of default service MS-XXX on his juniper (the definition of these services are here : http://kb.juniper.net/InfoCenter/index?page=content&id=KB12057

 

Is that possible to define the UUID on service on fortigate ? I didn't found this informations at the moment..

 

Thanks!

 

Lucas

1 Solution
Christopher_McMullan

You can't specify a UUID as a policy-level service, but you can filter for it as an application signature. I worked on just such a case around a year ago.

 

Add the MS.RPC.UUID signature within an Application Control sensor.

 

In OS 5.0, you could enter the UUIDs in the GUI after adding the MS.RPC.UUID signature to a sensor. It looks as if, in 5.2, you need to do it through the CLI. I think from memory there was a scroll limit or UUID limit in the GUI anyway, so best still to use the CLI, whatever version you're running.

 

Here's an example of what the sensor would look like:

config application list  edit "RPC_TEST"  set other-application-action block  set unknown-application-action block  config entries  edit 1  set action pass  set application 152305667  config parameters  edit 1  set value "833E4200-AFF7-4AC3-AAC2-9F24C1457BCE"  next  end  next  edit 2  set action pass  set application 152305667  config parameters  edit 1  set value "833E4100-AFF7-4AC3-AAC2-9F24C1457BCE"  next  end  next  edit 3  set action pass  set application 152305667  config parameters  edit 1  set value "833E41AA-AFF7-4AC3-AAC2-9F24C1457BCE"  next  end  next  edit 4  set action pass  set application 152305667  config parameters  edit 1  set value "F120A684-B926-447F-9DF4-C966CB785648"  next  end  next  end  next  end  end 

 

So, after defining the application ID, the 'config parameters' option becomes available to you as another sub-area. You would create an ID for each entry, and enclose the UUID that you are looking for within quotes.

 

If you don't know ahead of time which UUIDs are being used, but you still want to specify them, capture the relevant traffic in Wireshark. You're looking for the Abstract Syntax field within the RPC PDU. If you filter the output for 'dcerpc.cn_bind_to_uuid', you will get a list of the UUIDs to add to the signature in the sensor.

 

That was a fun case to work on! It *is* possible, but obviously, the signatures have to remain static, and finding them (and/or changing them after defining the initial values) can be a pain.

Regards, Chris McMullan Fortinet Ottawa

View solution in original post

6 REPLIES 6
emnoc
Esteemed Contributor III

I never heard of the means to set uuid per service , but per fwpolicies manual or automatically

PCNSE 

NSE 

StrongSwan  

hklb
Contributor II

Hi,

 

The uuid specified in firewall rules is used by fortimanager or fortianalyzer ( http://docs-legacy.fortinet.com/fmgr/50hlp/FMG_507_Online_Help/200_What's-New.03.07.html )

 

The UUID for MS RPC service is to identify the RPC service (like RPC netlogon has the uuid 12345678-1234-abcd-ef00-01234567cffb). like this, we are able to restrict the access to specifc RPC service. The RCP service use dynamic port, so if we need to allow user to do a netlogon on DC, we are forced to open all port.. So it's not a good thing.

 

More information about RPC :

http://techjambu.blogspot.co.uk/2012/03/rpc-over-firewall.html

https://technet.microsoft.com/en-us/library/cc738291(v=ws.10).aspx

https://books.google.co.uk/books?id=6ncmPL8VyX8C&pg=PA213&lpg=PA213&dq=rpc+uuid+microsoft&source=bl&...

 

 

Lucas

 

Christopher_McMullan

You can't specify a UUID as a policy-level service, but you can filter for it as an application signature. I worked on just such a case around a year ago.

 

Add the MS.RPC.UUID signature within an Application Control sensor.

 

In OS 5.0, you could enter the UUIDs in the GUI after adding the MS.RPC.UUID signature to a sensor. It looks as if, in 5.2, you need to do it through the CLI. I think from memory there was a scroll limit or UUID limit in the GUI anyway, so best still to use the CLI, whatever version you're running.

 

Here's an example of what the sensor would look like:

config application list  edit "RPC_TEST"  set other-application-action block  set unknown-application-action block  config entries  edit 1  set action pass  set application 152305667  config parameters  edit 1  set value "833E4200-AFF7-4AC3-AAC2-9F24C1457BCE"  next  end  next  edit 2  set action pass  set application 152305667  config parameters  edit 1  set value "833E4100-AFF7-4AC3-AAC2-9F24C1457BCE"  next  end  next  edit 3  set action pass  set application 152305667  config parameters  edit 1  set value "833E41AA-AFF7-4AC3-AAC2-9F24C1457BCE"  next  end  next  edit 4  set action pass  set application 152305667  config parameters  edit 1  set value "F120A684-B926-447F-9DF4-C966CB785648"  next  end  next  end  next  end  end 

 

So, after defining the application ID, the 'config parameters' option becomes available to you as another sub-area. You would create an ID for each entry, and enclose the UUID that you are looking for within quotes.

 

If you don't know ahead of time which UUIDs are being used, but you still want to specify them, capture the relevant traffic in Wireshark. You're looking for the Abstract Syntax field within the RPC PDU. If you filter the output for 'dcerpc.cn_bind_to_uuid', you will get a list of the UUIDs to add to the signature in the sensor.

 

That was a fun case to work on! It *is* possible, but obviously, the signatures have to remain static, and finding them (and/or changing them after defining the initial values) can be a pain.

Regards, Chris McMullan Fortinet Ottawa

anuragverma

how this sensor will be in use for traffic?

Will this be applied in firewall policy in application control security profile and that's it?

hklb
Contributor II

Hi,

 

Thanks for your reply. This is exactly what I need

 

My customer has a standard support license without UTM.. Is the custom signature will work without app control license ?

 

Thanks !

 

Lucas

Christopher_McMullan

Lucas,

 

It depends if the signature was present in the Application Control database that came with the firmware by default. If the DB is an empty container, or only came afterwards, then it's a no-go.

 

Otherwise, as long as it's there initially, it should always work.

Regards, Chris McMullan Fortinet Ottawa