Hi all.
I've really tried to figure this one out my self, but I can't... so I turn to the gurus in the Elevate community :-)
I have a firewall where I have a global rule that matches "dynamic-application junos:MSRPC" and "application any". This rule should permit MSRPC traffic between several zones.
match {
source-address GRP.ALLCLIENTS;
destination-address GRP.DC-ALL;
application any;
source-identity any;
dynamic-application [ junos:DNS junos:NTP junos:LDAP junos:SSL junos:LDAPS junos:KRB5 junos:SMB junos:MSRPC junos:NETBIOS junos:CLDAP ];
from-zone [ CLIENTS1 CLIENTS2 ];
to-zone [ SERVERS1 SERVERS2 ];
}
then {
permit;
log {
session-init;
session-close;
}
}
And in the bottom of the global policy set I have a rule that does a final deny with logging. This has source-/destination-address any, application any and dynamic-application any.
match {
source-address any;
destination-address any;
application any;
dynamic-application any;
from-zone any;
to-zone any;
}
then {
deny;
log {
session-close;
}
}
The thing is that MSRPC seems to be closed with the message "Denied by junos-dynapp". I've checked that the source- and destination-address matches the once accepted in the policy.
"eventname":"RT_FLOW_SESSION_CLOSE" "message":"[junos@2636.1.1.1.2.583 reason=\"Denied by junos-dynapp\" source-address=\"10.40.30.34\" source-port=\"12127\" destination-address=\"10.40.25.15\" destination-port=\"135\" connection-tag=\"0\" service-name=\"junos-ms-rpc-tcp\" nat-source-address=\"10.40.30.34\" nat-source-port=\"12127\" nat-destination-address=\"10.40.25.15\" nat-destination-port=\"135\" nat-connection-tag=\"0\" src-nat-rule-type=\"N\/A\" src-nat-rule-name=\"N\/A\" dst-nat-rule-type=\"N\/A\" dst-nat-rule-name=\"N\/A\" protocol-id=\"6\" policy-name=\"FINAL-DENY-WITH-LOGGING(global)\" source-zone-name=\"CLIENTS1\" destination-zone-name=\"SERVERS1\" session-id=\"8591892346\" packets-from-client=\"3\" bytes-from-client=\"292\" packets-from-server=\"1\" bytes-from-server=\"52\" elapsed-time=\"1\" application=\"MSRPC\" nested-application=\"EPM\"
I guess that this session gets closed when the application gets identified. Is this because it is identified with nested-application EPM and that this nested-application is not opened for? I thought that since we've opened for MSRPC, then EPM will be accepted as a nested-application because junos:EPM is "a part of" junos:MSRPC?
If I take a look at the details for "junos:EPM" i see that EPM has MSRPC listed as "Layer-7 Immediate Protocol(s)" and junos:MSRPC as "Underlying consolidated Protocols/ports application is dependent on:":
show services application-identification application detail junos:EPM
Application Name: junos:EPM
Application type: EPM
...
Underlying consolidated Protocols/ports application is dependent on:
Protocols:
...
Protocol: junos:MSRPC / 742
...
Layer-7 Immediate Protocol(s):
Protocol: SOAP / 191
Protocol: MSRPC / 742
Protocol: DCERPC / 26
...
Can someone explain what "Layer-7 Immediate Protocol(s)" and "Underlying consolidated Protocols/ports application is dependent on:" means? Or point me to some documentation?
I've read these two:
CEC Juniper Community
CEC Juniper Community
------------------------------
Best regards
Vidar Stokke
------------------------------