Rule 995

[ashman74]

Hi All,

Can someone tell me what rule 995 is ? I came across this alert when attempting to apply a policy to allow a one way trust across two domains. It suggested that it was an implied rule and flagged up the out of state packet error.

Thanks.

[chillyjim]

It's DCE-RPC drops. See sk30893 for the "fix"

[ashman74]

Thanks Jim. Unfortunately I cannot get access to it. Is anyone generous enough to divulge in this information. I'd be very grateful.

[Huisje]

I find myself in a similar position. Since yesterday I have traffic between 2 domain controllers being dropped by rule 995.

On SK we find:

Active Directory Replication traffic fails through Security Gateway, with drops on rule 995
Symptoms:
·Connection drops on rule 995 for DCE-RPC traffic in SmartView Tracker
·Rule 997 drops in SmartView Tracker
·ID: sk30893 ·Product: VPN-1 Pro (VPN-1/FW-1) ·Version: NG AI ·Type: Issues ·Access: Advanced

But I only have an Enterprise Software Subscription at CP, apparently you need a specific support contract too?

Is anybody able to tell us what's being explained in sk30893 or should I not be asking that?

kind regards,

Kevin

[Huisje]

I found the following post elsewhere:

"
I had the same problem and called support. Below is what they gave me
and it worked.

1) On the SmartCenter Server, stop the firewall services by typing at
prompt: cpstop
2) Back up the $FWDIR/lib/dcerpc.def file.
3) Edit the dcerpc.def file.

Original
#define NO_ENFORCE_CNTX_NUM 0


Modified
#define NO_ENFORCE_CNTX_NUM 1


4) Save changes and close the dcerpc.def file.
5) Start the firewall services by typing at prompt: cpstart
6) Log into SmartDashboard, and install the Security Policy.
"

This helped a few people resolve this issue.

I'm more interested in understanding what is causing it than a fix though.

kind regards,

Kevin

[Lackie]

Quote:

Originally Posted by Huisje

I'm more interested in understanding what is causing it than a fix though.

Stateful Inspection checks executed as defined in the $FWDIR/lib/dcerpc.def file. Or packets that contain DCERPC data (continuation packets that do not start a new datagram) may begin with a sequence that is too similar to the beginning of a DCERPC Alter Context packet, and be considered invalid.

To resolve Active Directory Replication traffic failure and eliminate packets that contain DCERPC data from being considerd "Alter Context", modify the dcerpc.def file on the SmartCenter Server.

[maurox]

I tried this solution in R55 and worked...changing the same parameters on NGX R61 or R60it noting works...
Does anyone tried this solution with these releases ?
Maurox

[Tim.dyke@worksafebc.com]

We are having the 995 drop issue, however it is from the SecureClient while they are NOT CONNECTED "ie, connected locally to the LAN through the ethernet interface)

When they connunicate to a Windows Server 2003 SP1, the server tries to make a connection to the client and is dropped on 995.
The client does not have a dcerpc.def file so we cannot apply thie fix.

Has anyone experienced this

Thanks

[obelix]

Quote:

Originally Posted by Tim.dyke@worksafebc.com

We are having the 995 drop issue, however it is from the SecureClient while they are NOT CONNECTED "ie, connected locally to the LAN through the ethernet interface)

We are seeing this with SecureClient (NGX R60 Build 191) when LAN connected, though we are seeing a Reject, as opposed to a drop, on Rule 995 for epmap/135. This occurs immediately after an Accept from the same sourceAddr/port combination!

Thoughts anyone?

[msabena]

We are having the exact same problem with the secureclient.
Our support asked us to uncheck everything under RPC on the smartdefense but it did'nt help.
Has anyone been able to work it out.
Thanks.

[Tetaworx]

Quote:

Originally Posted by obelix

We are seeing this with SecureClient (NGX R60 Build 191) when LAN connected, though we are seeing a Reject, as opposed to a drop, on Rule 995 for epmap/135. This occurs immediately after an Accept from the same sourceAddr/port combination!

Thoughts anyone?

We, too, have the exactly same issue. (SC, NGX R60 HFA1 Version: 019) Our support-team, too, is currently investigating this issue.

Obviously disabling any options ralated to DCE in SmarDefense does not help, because these options are only applied to the central gateway, but not to the SecureClient, aren't they?

The issue seems to be quite critical, because our Windows AD group policies are not able to getting deployed this way!

Isn't there any possibility to centrally disable certain SD-features for the SC?

***

Has anyone yet tried the solution from MS AD replication across firewall ? Creating a service matching port 135 and allowing this service explicitly ? I'll try out tomorrow...

[RayPesek]

There's a new SK article that says to call Check Point support. They can provide a hotfix to fix this in SecureClient NGX R60 HFA1, the latest publicly posted version.

Ray

[RayPesek]

"sk31818 - DCE-RPC connections to or from Windows 2003 Server SP1 dropped by SecuRemote/SecureClient due to rule 995"

It happens whether SC is connected or not.

Ray

[Tetaworx]

That's interesting.

Can someone quote the sk31818 here? Advanced Access is needed :-/

[Tetaworx]

The workaround did not work for me.

We're waiting for the hotfix from our supportpartner.

Has anyone been able to resolve this issue, yet?

[Jason777]

It didn't work for me either.

Jason.