SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  AppID and MSRPC with "Denied by junos-dynapp"

    Posted 12-09-2024 09:13

    Hi all. 

    I've really tried to figure this one out my self, but I can't... so I turn to the gurus in the Elevate community :-)

    I have a firewall where I have a global rule that matches "dynamic-application junos:MSRPC" and "application any". This rule should permit MSRPC traffic between several zones.

    match {
        source-address GRP.ALLCLIENTS;
        destination-address GRP.DC-ALL;
        application any;
        source-identity any;
        dynamic-application [ junos:DNS junos:NTP junos:LDAP junos:SSL junos:LDAPS junos:KRB5 junos:SMB junos:MSRPC junos:NETBIOS junos:CLDAP ];
        from-zone [ CLIENTS1 CLIENTS2 ];
        to-zone [ SERVERS1 SERVERS2 ];
    }
    then {
        permit;
        log {
            session-init;
            session-close;
        }
    }

    And in the bottom of the global policy set I have a rule that does a final deny with logging. This has source-/destination-address any, application any and dynamic-application any. 

    match {
        source-address any;
        destination-address any;
        application any;
        dynamic-application any;
        from-zone any;
        to-zone any;
    }
    then {
        deny;
        log {
            session-close;
        }
    }

    The thing is that MSRPC seems to be closed with the message "Denied by junos-dynapp". I've checked that the source- and destination-address matches the once accepted in the policy. 

    "eventname":"RT_FLOW_SESSION_CLOSE" "message":"[junos@2636.1.1.1.2.583 reason=\"Denied by junos-dynapp\" source-address=\"10.40.30.34\" source-port=\"12127\" destination-address=\"10.40.25.15\" destination-port=\"135\" connection-tag=\"0\" service-name=\"junos-ms-rpc-tcp\" nat-source-address=\"10.40.30.34\" nat-source-port=\"12127\" nat-destination-address=\"10.40.25.15\" nat-destination-port=\"135\" nat-connection-tag=\"0\" src-nat-rule-type=\"N\/A\" src-nat-rule-name=\"N\/A\" dst-nat-rule-type=\"N\/A\" dst-nat-rule-name=\"N\/A\" protocol-id=\"6\" policy-name=\"FINAL-DENY-WITH-LOGGING(global)\" source-zone-name=\"CLIENTS1\" destination-zone-name=\"SERVERS1\" session-id=\"8591892346\" packets-from-client=\"3\" bytes-from-client=\"292\" packets-from-server=\"1\" bytes-from-server=\"52\" elapsed-time=\"1\" application=\"MSRPC\" nested-application=\"EPM\"

    I guess that this session gets closed when the application gets identified. Is this because it is identified with nested-application EPM and that this nested-application is not opened for? I thought that since we've opened for MSRPC, then EPM will be accepted as a nested-application because junos:EPM is "a part of" junos:MSRPC? 

    If I take a look at the details for "junos:EPM" i see that EPM has MSRPC listed as "Layer-7 Immediate Protocol(s)" and junos:MSRPC as "Underlying consolidated Protocols/ports application is dependent on:":

    show services application-identification application detail junos:EPM
    Application Name: junos:EPM
    Application type: EPM
    ...
    Underlying consolidated Protocols/ports application is dependent on:
    Protocols:
    ...
    Protocol: junos:MSRPC / 742
    ...
    Layer-7 Immediate Protocol(s):
    Protocol: SOAP / 191
    Protocol: MSRPC / 742
    Protocol: DCERPC / 26
    ...

    Can someone explain what "Layer-7 Immediate Protocol(s)" and "Underlying consolidated Protocols/ports application is dependent on:" means? Or point me to some documentation?

    I've read these two: 
    CEC Juniper Community
    CEC Juniper Community

     





    ------------------------------
    Best regards
    Vidar Stokke
    ------------------------------


  • 2.  RE: AppID and MSRPC with "Denied by junos-dynapp"

    Posted 12-12-2024 10:17

    I think there's an unfortunate clue in the app details for junos:MSRPC:

    Alias List:
        junos:MSRPC-UNKNOWN

    So, it seems, unlike the O365 example in the article, MSRPC is not really an all-encompassing AppID definition ... 

    On the bright side, if the AppID definitions follow the built-in old application definitions, there probably aren't too many known MSRPC app IDs to account for in your policies.



    ------------------------------
    Nikolay Semov
    ------------------------------