Define SunRPC Proxy parameters

The Sun Remote Procedure Call (RPC) Protocol Agent assists the Firewall, Layer 2 Firewall, or IPS engine in Portmapper connections.

There are both UDP and TCP-based Protocol Agents for Sun Remote Procedure Call (RPC) protocol. On the firewall, these agents only assist the firewall in Portmapper connections. They make the handling of RPC program numbers used in the Access rules more rapid. On IPS engines and Layer 2 Firewalls, these protocol agents provide deep inspection.
Note: The Protocol Agent is meant only for Portmapper connections. Allow other RPC services using Service elements without the Protocol Agent.

The Portmapper Protocol Agents collect information about RPC services by interpreting the GET PORT and DUMP PORTS requests and their respective answers. All information it collects is stored in the Portmapper cache.

When the packet filter needs to evaluate RPC matches, it consults the Portmapper cache to check if the destination of the packet has the appropriate service defined in the rule. If the cache does not have the requested information available, the packet under evaluation is not let through and a query is sent to the destination host for RPC information. The information received is stored in cache.

We recommend following these precautions with the RPC protocol:
  • Attach the Portmapper Protocol Agent only to Portmapper connections passing through the firewall.
  • Allow the firewall engine to send RPC queries.
  • Optimize the structure of your security policy. See Knowledge Base article 10086 for more information.
RPC queries are sent from the firewall to TCP port 111 of the external host. You can use the SunRPC (TCP) Service element or the SunRPC (UDP) Service element, or you can use the Portmapper Service element with both TCP and UDP. We recommend adding the following rule above any other Portmapper rules to allow connections without the Protocol Agent:
Table 1. Rule for RPC Queries
Source Destination Service Action
Firewall engine IP address (NDIs on clusters) Any

SunRPC (TCP)

SunRPC (UDP)

Allow

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. In the properties of a custom Service you have created, click Select next to the Protocol field and select SunRPC ([TCP|UDP]).
  2. (Firewall only) On the Protocol Parameters tab, set the parameters for the Protocol Agent.
  3. Click OK.