Cannot connect to RDP over BOVPN

Adam_Fontenot

We have a new client that we've put WG in in place of Cisco ASA's and have configured BOVPN's to connect the branches to the main office. The main office has an app server with remote desktop services to allow users to remote into sessions to use the accounting software. The RDP works on the internal network, but not from any of the branches. When checking traffic logs, I see a few Allow's but one specific Deny every time and I cannot figure out how to allow the traffic to allow the session. Here is the Deny line.
2022-03-13 03:15:12Deny192.168.6.9510.1.1.6rdp/tcp637063389TBD_to_AGOInternalIPS detected59127(BOVPN-Allow-Any.in)proc_id="firewall"rc="301"msg_id="3000-0150"tcp_info="offset 5 A 2625095262 win 60921"signature_id="1131270"signature_name="RDP Microsoft Remote Desktop Protocol Remote Code Execution (CVE-2015-2373)"signature_cat="Buffer Overflow"severity="4"sig_vers="18.201"

Forgive me for the lack of understanding, I'm fairly new to the industry and have been banging my head against this for a few hours now. Any insight would be greatly appreciated.

james.carson

This is an IPS signature -- there's likely an older version of an RDP client or sever running somewhere that it's picking up.

The signature ID for this is 1131270

You can read more about that ID here:
https://securityportal.watchguard.com/threats/detail?ruleId=1131270&sigVers=4

You can make an exception for it by following these directions:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/ips/ips_config_exceptions_c.html