This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
StackCap43382
Collaborator
Collaborator
‎2023-05-19 08:38 AM

Block RPC DRSUAPI on Check Point

Has anyone investigated and successfully blocked DRSUAPI on a Check Point?

It perhaps possible by blocking the UUID “e3514235-4b06-11d1-ab04-00c04fc2dcd2” as per "sk112168: How to allow or block a specific DCE-RPC UUID"
https://support.checkpoint.com/results/sk/sk112168

Does anyone know if there is any other method of if UUID is it, if so are there any performance impacts?

 

CCSME, CCTE, CCME, CCVS
0 Kudos
2 Replies
the_rock
Legend
Legend
‎2023-05-19 10:43 AM

Never really looked much into it, but interesting subject. I see in R81.20 smart console, there are bunch of built in DCE-RPC services, but if you try to create new one, you absolutelyhave to enter UUID. 

I will play around with it more and see how far I get.

Andy

 

Screenshot_1.png

0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-19 02:43 PM

This is the method for blocking a specific DCE-RPC service.
Inspecting DCE-RPC traffic in this manner is not accelerated per: https://support.checkpoint.com/results/sk/sk32578
Proper placement of the rule will be critical to minimize the impact since all rules below this one will not create SecureXL templates.
In this case, it should be near the bottom of the relevant policy layer.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top