- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
specify UUID in service for RPC service
Hi,
I will migrate a juniper to a fortigate, but my customer use some of default service MS-XXX on his juniper (the definition of these services are here : http://kb.juniper.net/InfoCenter/index?page=content&id=KB12057
Is that possible to define the UUID on service on fortigate ? I didn't found this informations at the moment..
Thanks!
Lucas
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can't specify a UUID as a policy-level service, but you can filter for it as an application signature. I worked on just such a case around a year ago.
Add the MS.RPC.UUID signature within an Application Control sensor.
In OS 5.0, you could enter the UUIDs in the GUI after adding the MS.RPC.UUID signature to a sensor. It looks as if, in 5.2, you need to do it through the CLI. I think from memory there was a scroll limit or UUID limit in the GUI anyway, so best still to use the CLI, whatever version you're running.
Here's an example of what the sensor would look like:
config application list edit "RPC_TEST" set other-application-action block set unknown-application-action block config entries edit 1 set action pass set application 152305667 config parameters edit 1 set value "833E4200-AFF7-4AC3-AAC2-9F24C1457BCE" next end next edit 2 set action pass set application 152305667 config parameters edit 1 set value "833E4100-AFF7-4AC3-AAC2-9F24C1457BCE" next end next edit 3 set action pass set application 152305667 config parameters edit 1 set value "833E41AA-AFF7-4AC3-AAC2-9F24C1457BCE" next end next edit 4 set action pass set application 152305667 config parameters edit 1 set value "F120A684-B926-447F-9DF4-C966CB785648" next end next end next end end
So, after defining the application ID, the 'config parameters' option becomes available to you as another sub-area. You would create an ID for each entry, and enclose the UUID that you are looking for within quotes.
If you don't know ahead of time which UUIDs are being used, but you still want to specify them, capture the relevant traffic in Wireshark. You're looking for the Abstract Syntax field within the RPC PDU. If you filter the output for 'dcerpc.cn_bind_to_uuid', you will get a list of the UUIDs to add to the signature in the sensor.
That was a fun case to work on! It *is* possible, but obviously, the signatures have to remain static, and finding them (and/or changing them after defining the initial values) can be a pain.
Regards, Chris McMullan Fortinet Ottawa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I never heard of the means to set uuid per service , but per fwpolicies manual or automatically
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The uuid specified in firewall rules is used by fortimanager or fortianalyzer ( http://docs-legacy.fortinet.com/fmgr/50hlp/FMG_507_Online_Help/200_What's-New.03.07.html )
The UUID for MS RPC service is to identify the RPC service (like RPC netlogon has the uuid 12345678-1234-abcd-ef00-01234567cffb). like this, we are able to restrict the access to specifc RPC service. The RCP service use dynamic port, so if we need to allow user to do a netlogon on DC, we are forced to open all port.. So it's not a good thing.
More information about RPC :
http://techjambu.blogspot.co.uk/2012/03/rpc-over-firewall.html
https://technet.microsoft.com/en-us/library/cc738291(v=ws.10).aspx
Lucas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can't specify a UUID as a policy-level service, but you can filter for it as an application signature. I worked on just such a case around a year ago.
Add the MS.RPC.UUID signature within an Application Control sensor.
In OS 5.0, you could enter the UUIDs in the GUI after adding the MS.RPC.UUID signature to a sensor. It looks as if, in 5.2, you need to do it through the CLI. I think from memory there was a scroll limit or UUID limit in the GUI anyway, so best still to use the CLI, whatever version you're running.
Here's an example of what the sensor would look like:
config application list edit "RPC_TEST" set other-application-action block set unknown-application-action block config entries edit 1 set action pass set application 152305667 config parameters edit 1 set value "833E4200-AFF7-4AC3-AAC2-9F24C1457BCE" next end next edit 2 set action pass set application 152305667 config parameters edit 1 set value "833E4100-AFF7-4AC3-AAC2-9F24C1457BCE" next end next edit 3 set action pass set application 152305667 config parameters edit 1 set value "833E41AA-AFF7-4AC3-AAC2-9F24C1457BCE" next end next edit 4 set action pass set application 152305667 config parameters edit 1 set value "F120A684-B926-447F-9DF4-C966CB785648" next end next end next end end
So, after defining the application ID, the 'config parameters' option becomes available to you as another sub-area. You would create an ID for each entry, and enclose the UUID that you are looking for within quotes.
If you don't know ahead of time which UUIDs are being used, but you still want to specify them, capture the relevant traffic in Wireshark. You're looking for the Abstract Syntax field within the RPC PDU. If you filter the output for 'dcerpc.cn_bind_to_uuid', you will get a list of the UUIDs to add to the signature in the sensor.
That was a fun case to work on! It *is* possible, but obviously, the signatures have to remain static, and finding them (and/or changing them after defining the initial values) can be a pain.
Regards, Chris McMullan Fortinet Ottawa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how this sensor will be in use for traffic?
Will this be applied in firewall policy in application control security profile and that's it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for your reply. This is exactly what I need
My customer has a standard support license without UTM.. Is the custom signature will work without app control license ?
Thanks !
Lucas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lucas,
It depends if the signature was present in the Application Control database that came with the firmware by default. If the DB is an empty container, or only came afterwards, then it's a no-go.
Otherwise, as long as it's there initially, it should always work.
Regards, Chris McMullan Fortinet Ottawa
![](/skins/images/03B6F9D09B0B73D4E0068FD5D5412A2D/responsive_peak/images/icon_anonymous_message.png)