topic Re: ms-rdp and cotp in Next-Generation Firewall Discussions

ms-rdp and cotp

janhoppe — Tue, 16 Jan 2024 10:55:19 GMT

Hello there,

I have googled and searched the community but I am still at a loss: why is the "rdp" communication identified as "cotp" sometimes? Does anyone have an answer or a a link?

Have a great no-unplanned-downtime-day everyone!

Jan

Re: ms-rdp and cotp

BPry — Tue, 16 Jan 2024 11:27:03 GMT

@janhoppe,

Generally you see this more when someone has log-start enabled on RDP policies (which is a good practice in my eye since you likely want fast indication that someone has an RDP window open when looking at logs without having to go into the session table).

When you see this in the logs when that isn't the case it simply means that the firewall hasn't properly identified it under the ms-rdp application. That shouldn't be that much of an issue since ms-rdp implicitly utilizes cotp and t.120 as the underlying technology that drives ms-rdp, however I know a lot of people simply include ms-rdp and cotp in the same entries since that false-negative on the ms-rdp signature can cause connection issues for folks if it doesn't switch over properly.

As to why that happens, it's just because the firewall didn't see the proper traffic to match the ms-rdp signature properly. That could be because some packets dropped along the way that prevent it from being identified properly, it could be because the service on the endpoint wasn't operating properly and therefore didn't return traffic as expected, or a number of other issues.

Re: ms-rdp and cotp

janhoppe — Tue, 16 Jan 2024 11:35:54 GMT

Thank you for your reply. That explains what we are seeing here. In one of our old networks we're seeing just rdp and it still works, altoogh now I am tempted to find out, if we have any rdp issues that couldn't be explained.

In our newest integration we're just bulding our policies and saw cotp alongside rdp and it was not something I expected.

Thanks for your help!