DCE-RPC Enforcement Violation

[moelljoe]

Hello,

last week, we upgrade from CheckPoint NG R55 to CheckPoint NG-X R60 HFA03. Now we have problems with the microsoft domain controler communication.

If the server A in our dmz to try to connect server B (domain controler) we got often this alert:

Number: 192944
Date: 19Jun2006
Time: 16:35:13
Product: SmartDefense
Interface: eth-s1p2c0
Origin: fw (192.168.1.1)
Type: Alert
Action: Reject
Protocol: tcp
Service: epmap-135 (135)
Source: serverA (192.168.10.10)
Destination: serverB (172.16.20.20)
Source Port: 4740
Attack Name: DCE-RPC Enforcement Violation
Attack Information: Source IP in port command is different than the Server IP


Is there anybody who get this error message too??
Is there anybody who know, how we can disable this check in smart defense?

moelljoe

[munrog]

Hi there,

This is a known problem in NGX (R60). You need to contact your CSSP and get hold of an update to the DCERPC.def file. (it may also be included in HFA03)

According to Solution ID: #sk31245
In DCE-RPC communication, the End Point Mapper response may contain a redirection to other servers. Redirection can be used by a malicious server to attack hosts on the network. By default, the server response is dropped, and the following log message displays:

"DCE-RPC Enforcement Violation... Source IP in port command is different than the Server IP"

Cheers
Greg

[_d3nx]

Hi,

I have faced same errors in NGX HFA04. Did you have resolved this problem?

[dbedit]

Replace dcerpc.def with dcerpc_HFA.def that came with your HFA03. That's in your fw1\lib directory. First do a cpstop, replace , cpstart.
If this does not work add new service tcp-135 to rule.

[dbedit]

Srry, forgot to mention RENAME and replace :-)

[cgill27]

This works, also don't forget to push policy to affected gw's.

Craig