Thanks Thomas. I guess I don't really need to upgrade then. No other improvement that I really need from this HFA. I mean with all the hassle, I'd better wait for the next one.
Sincerely, Adit -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Sent: 20 Oktober 2005 15:52 To: [email protected] Subject: Re: [FW-1] DCE-RPC with HFA-01 on NGX-R60 It seems HFA01 didn't fix that with win2k3 sp1 In $FWDIR/lib/dcerpc.def #define NO_ENFORCE_CNTX_NUM 0 changed to #define NO_ENFORCE_CNTX_NUM 1 Best Regards, Thomas Su Dynasafe Technologies, Inc. Aditya Irawan wrote: > Dear All, > > My company just started using NGX on SPLAT since last week. > And starting this Monday, I'm beginning to enforce the SmartDefense > rules. > > There are 2 issues here: > 1. On Monday, I'm updating the SmartDefense. > And suddenly, some PCs on the network is no longer able access the > web. > We are using rule like this for browsing user: > > Source Destination Service Action > [EMAIL PROTECTED] Any http Client Auth > > browsing is a User Groups containing all user account that is > allowed to browse the internet. > The users PC use the firewall as default gateway. Normally, if the > tried to browse to a site, an auth window will popup. > But since Monday, their browser just showed the "Page cannot be > displayed" error after some time. > > 2. Today I'm enabling the other SmartDefense rules, but still check > the "Monitor only - no protection". > My intention was to see the the traffic that might be captured by > smartdefense. > But instead, I'm starting to see these on the log: > > Number: 250721 > Date: 20Oct2005 > Time: 14:42:11 > Product: SmartDefense > Interface: eth1 > Origin: gw (10.1.10.5) > Type: Log > Action: Drop > Service: microsoft_ds (445) > Source: SRV (10.1.1.6) > Destination: forestdc (10.60.11.10) > Protocol: tcp > Source Port: 3063 > Attack Name: DCE-RPC Enforcement Violation > Attack Information: Unallowed number of context items in > Bind/Alter context request > > I found out that it coming from CPAI-2005-112, the MSMQ check. > > Can anyone help me? Will HFA_01 be able to solve the issue? > I'm looking at the R60_01-12 item in the HFA, "When there is a BIND > request, more than one context item can now be Used", is it the > correct one? > Thank you very much for your help. > > Sincerely, > Adit > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
