DCERPC inspection is not enabled in the default inspection policy, so you must enable it if you need this inspection. You can simply edit the default global inspection policy to add DCERPC inspection. You can alternatively create a new service policy as desired, for example, an interface-specific policy.
The following sections describe the DCERPC inspection engine.
Microsoft Remote Procedure Call (MSRPC), based on DCERPC, is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely.
This typically involves a client querying a server called the Endpoint Mapper listening on a well known port number for the dynamically allocated network information of a required service. The client then sets up a secondary connection to the server instance providing the service. The security appliance allows the appropriate port number and network address and also applies NAT, if needed, for the secondary connection.
The DCERPC inspection engine inspects for native TCP communication between the EPM and client on well known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and Port number are received from the applicable EPM response messages. Since a client may attempt multiple connections to the server port returned by EPM, multiple use of pinholes are allowed, which have configurable timeouts.
DCE inspection supports the following universally unique identifiers (UUIDs) and messages:
End point mapper (EPM) UUID. All EPM messages are supported.
ISystemMapper UUID (non-EPM). Supported messages are:
OxidResolver UUID (non-EPM). Supported message is:
Any message that does not contain an IP address or port information because these messages do not require inspection.
Configure a DCERPC Inspection Policy Map
To specify additional DCERPC inspection parameters, create a DCERPC inspection policy map. You can then apply the inspection policy map when you enable DCERPC inspection.
When defining traffic matching criteria, you can either create a class map or include the match statements directly in the policy map. The difference between creating a class map and defining the traffic match directly in the inspection policy map is that you can reuse class maps. The following procedure covers inspection policy maps, but also explains the traffic matching criteria available in the class map. To create a class map, select .
You can configure inspection maps while creating service policies, in addition to the procedure explained below. The contents of the map are the same regardless of how you create it.
Do one of the following:
For new maps, enter a name (up to 40 characters) and description. When editing a map, you can change the description only.
In the Security Level view of the DCERPC Inspect Map dialog box, select the level that best matches your desired configuration.
If one of the preset levels matches your requirements, you are now done. Just click OK, skip the rest of this procedure, and use the map in a service policy rule for DCERPC inspection.
If you need to customize the settings further, click Details and continue with the procedure.
Configure the desired options.
(Optional.) Click the Inspections tab and define the actions to take for specific types of messages.
You can define traffic matching criteria based on DCERPC class maps, by configuring matches directly in the inspection map, or both.
You can now use the inspection map in a DCERPC inspection service policy.
What to do next
You can now configure an inspection policy to use the map. See Configure Application Layer Protocol Inspection.