Hi,
I will migrate a juniper to a fortigate, but my customer use some of default service MS-XXX on his juniper (the definition of these services are here : http://kb.juniper.net/InfoCenter/index?page=content&id=KB12057
Is that possible to define the UUID on service on fortigate ? I didn't found this informations at the moment..
Thanks!
Lucas
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can't specify a UUID as a policy-level service, but you can filter for it as an application signature. I worked on just such a case around a year ago.
Add the MS.RPC.UUID signature within an Application Control sensor.
In OS 5.0, you could enter the UUIDs in the GUI after adding the MS.RPC.UUID signature to a sensor. It looks as if, in 5.2, you need to do it through the CLI. I think from memory there was a scroll limit or UUID limit in the GUI anyway, so best still to use the CLI, whatever version you're running.
Here's an example of what the sensor would look like:
config application list edit "RPC_TEST" set other-application-action block set unknown-application-action block config entries edit 1 set action pass set application 152305667 config parameters edit 1 set value "833E4200-AFF7-4AC3-AAC2-9F24C1457BCE" next end next edit 2 set action pass set application 152305667 config parameters edit 1 set value "833E4100-AFF7-4AC3-AAC2-9F24C1457BCE" next end next edit 3 set action pass set application 152305667 config parameters edit 1 set value "833E41AA-AFF7-4AC3-AAC2-9F24C1457BCE" next end next edit 4 set action pass set application 152305667 config parameters edit 1 set value "F120A684-B926-447F-9DF4-C966CB785648" next end next end next end end
So, after defining the application ID, the 'config parameters' option becomes available to you as another sub-area. You would create an ID for each entry, and enclose the UUID that you are looking for within quotes.
If you don't know ahead of time which UUIDs are being used, but you still want to specify them, capture the relevant traffic in Wireshark. You're looking for the Abstract Syntax field within the RPC PDU. If you filter the output for 'dcerpc.cn_bind_to_uuid', you will get a list of the UUIDs to add to the signature in the sensor.
That was a fun case to work on! It *is* possible, but obviously, the signatures have to remain static, and finding them (and/or changing them after defining the initial values) can be a pain.
Regards, Chris McMullan Fortinet Ottawa
I never heard of the means to set uuid per service , but per fwpolicies manual or automatically
PCNSE
NSE
StrongSwan
Hi,
The uuid specified in firewall rules is used by fortimanager or fortianalyzer ( http://docs-legacy.fortinet.com/fmgr/50hlp/FMG_507_Online_Help/200_What's-New.03.07.html )
The UUID for MS RPC service is to identify the RPC service (like RPC netlogon has the uuid 12345678-1234-abcd-ef00-01234567cffb). like this, we are able to restrict the access to specifc RPC service. The RCP service use dynamic port, so if we need to allow user to do a netlogon on DC, we are forced to open all port.. So it's not a good thing.
More information about RPC :
http://techjambu.blogspot.co.uk/2012/03/rpc-over-firewall.html
https://technet.microsoft.com/en-us/library/cc738291(v=ws.10).aspx
Lucas
You can't specify a UUID as a policy-level service, but you can filter for it as an application signature. I worked on just such a case around a year ago.
Add the MS.RPC.UUID signature within an Application Control sensor.
In OS 5.0, you could enter the UUIDs in the GUI after adding the MS.RPC.UUID signature to a sensor. It looks as if, in 5.2, you need to do it through the CLI. I think from memory there was a scroll limit or UUID limit in the GUI anyway, so best still to use the CLI, whatever version you're running.
Here's an example of what the sensor would look like:
config application list edit "RPC_TEST" set other-application-action block set unknown-application-action block config entries edit 1 set action pass set application 152305667 config parameters edit 1 set value "833E4200-AFF7-4AC3-AAC2-9F24C1457BCE" next end next edit 2 set action pass set application 152305667 config parameters edit 1 set value "833E4100-AFF7-4AC3-AAC2-9F24C1457BCE" next end next edit 3 set action pass set application 152305667 config parameters edit 1 set value "833E41AA-AFF7-4AC3-AAC2-9F24C1457BCE" next end next edit 4 set action pass set application 152305667 config parameters edit 1 set value "F120A684-B926-447F-9DF4-C966CB785648" next end next end next end end
So, after defining the application ID, the 'config parameters' option becomes available to you as another sub-area. You would create an ID for each entry, and enclose the UUID that you are looking for within quotes.
If you don't know ahead of time which UUIDs are being used, but you still want to specify them, capture the relevant traffic in Wireshark. You're looking for the Abstract Syntax field within the RPC PDU. If you filter the output for 'dcerpc.cn_bind_to_uuid', you will get a list of the UUIDs to add to the signature in the sensor.
That was a fun case to work on! It *is* possible, but obviously, the signatures have to remain static, and finding them (and/or changing them after defining the initial values) can be a pain.
Regards, Chris McMullan Fortinet Ottawa
how this sensor will be in use for traffic?
Will this be applied in firewall policy in application control security profile and that's it?
Hi,
Thanks for your reply. This is exactly what I need
My customer has a standard support license without UTM.. Is the custom signature will work without app control license ?
Thanks !
Lucas
Lucas,
It depends if the signature was present in the Application Control database that came with the firmware by default. If the DB is an empty container, or only came afterwards, then it's a no-go.
Otherwise, as long as it's there initially, it should always work.
Regards, Chris McMullan Fortinet Ottawa
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1095 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.