[czech12]

I've actually seen a problem very similar to this before. I believe it was in Check Point NG w/ AI, R54, Check Point took away the "epmap" service from the TCP Services menu and broke them out to a different service grouping called "DCE-RPC". epmap is a very broad service that uses a different identifier over port 135, called the SSID or Interface UUID.

In the problem I experience, we could not get the traffic to work using the DCE-RPC object, and Check Point's resolution to us was to create an object for TCP 135 and leave the "Match For Any" option unchecked in the "Advanced" section of the service properties. Then you must create a rule that explicitly allows the TCP 135 traffic. So, that means if you have a rule that allows Any service, you still need to add another rule that allows TCP 135 by itself.

Give that a try and let me know how it works out.