This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maik
Advisor
‎2018-07-30 07:38 AM

Firewall drops portmapper traffic (udp111)

Hello guys,

Last week I opened a thread in order to verify that my assumption regarding RPC traffic and the related firewall configuration is/was correct. Now I tried to implement the related rule(s) and saw, that the portmapper traffic is getting dropped via the cleanup rule. I am trying to achieve a NFS communication between a client and an AIX (Oracle/Sun) machine. The related document that explains the general procedure and required rules does not help me in this case.

The Security Gateway runs Gaia R76.50, the management server runs R80.10.

I tried the following things:

1.

Client ==> Server  ~ via Service "nfsprog" (predefined with program number 100003)

2.

Client ==> Server  ~ via Service "nfsprog"

Server ==> Client ~ via Service "nfsprog"

3.

Client ==> Server  ~ via Service ALL_DCE_RPC (predefined with the interface UUID of "any"... 00000000-000 etc.)

Server ==> Client ~ via Service ALL_DCE_RPC

In each case the only thing I can see are drops for UDP 111. Related to several documentations you should not allow the port mapper port on its own (not specifiy UDP 111 in the related rules within the service column). Only without manually specifying the port the Security Gateway is able to dynamically allow the port mapper traffic related to the specified RPC services - that's why I did not specify it within the services for the related rules.

Now my question is - why do I see drops for the port mapper port?

Do I need to tell the firewall which port mapper port is being used - how can I do that?

Are there any SKs or other documentations that I am missing?

Thank you very much in advance for any advice regarding this issue.

3 Replies
PhoneBoy
Admin
Admin
‎2018-07-30 07:00 PM

Pretty sure your rule must include the relevant portmapper service (either MS-RPC or Unix-RPC) in addition to the relevant RPC service.

This is needed to allow the firewall to “see” the portmapper traffic to act on it.

Carsten_R
Contributor
‎2019-02-26 07:36 AM
In response to PhoneBoy

I have a similar issue with an R80.10 gateway running with take 121.

The rule allows the pre-definied NFS service group and tcp_111 (the server 10.214.1.100 uses NFSv2 with tcp).

Packet 6 tells the high port, but that will be dropped

You'l  see on the 6th packet, that the high port 40177 should be used for further communication, but the firewall will drop that port.

Have you any idea?

I'm not sure if a newer Jumbo will fix that (there is a fix for DCE-RPC, (PMTR-14596, PMTR-10574).

0 Kudos
PhoneBoy
Admin
Admin
‎2019-02-26 07:55 AM
In response to Carsten_R

Probably best to check with the TAC.

How To Open a Case with TAC and/or Account Services

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events