topic Re: Service Objects and multiple ports in General Topics

Service Objects and multiple ports

blwallace — Mon, 02 Apr 2012 21:16:56 GMT

I have the need to create a rule with three applications, ncp, ms-update and ssl. Two of those applications use their standard ports - ncp (524) and ms-update (80 & 443). The ssl application uses port 13000 - not the standard 443.

If I create a single service object using ports 542,80,443,13000 and use this service object in the rule, can all three applications use any of those ports?
If I create a service object for each application and put the service objects in a service group, then add the service group to the rule as follows:

service-ncp: port 524
service-ms-update: ports 80,442
service-ssl: port 13000
service-group: service-ncp,service-ms-update,service-ssl

Does this limit each application to the specific ports defined within the service object?

My goal is to be very deterministic (we don't need to discuss religious arguments as to my sanity) in my rules - meaning, I want to know and control applications and the ports they use whenever possible and when it makes sense. What I don't want is cross-talking, in this example, this rule allowing ms-update over port 13000.

Thanks for your feedback

Re: Service Objects and multiple ports

mikand — Mon, 02 Apr 2012 21:51:58 GMT

You would need to setup three different security rules similar to (I have exluded src/dstip to make it fewer lines in this example):

rule1)

appid:ncp

service:TCP524

rule2)

appid:ms-update

service:TCP80,TCP443

rule3)

appid:ssl

service:TCP13000

Re: Service Objects and multiple ports

blwallace — Tue, 03 Apr 2012 15:48:15 GMT

Yes, I understand that I could do three different security policies, two of which would use 'application-default' as the service type. If a service group allows an application, or a group of applications, to use any of the ports defined within the service group, I'm wondering what the benefit is with using a service group. My ideal scenario is to

great an application group
put the three applications in the group
create a service object for each application
create a service group
put the three service objects in the service group

The rule matches ncp over port 524 (only), ms-update over port 80, 443 (only) ssl over port (13000).

I guess I'm not understanding how a service group works.

Re: Service Objects and multiple ports

sjamaluddin — Thu, 05 Apr 2012 17:56:59 GMT

If you clump the service ports in a service group, the application will be able to use any of those and not be restricted to application+port as you want.

Read each security policy left to right as a series of AND statements. and within the field (eg. service: 80,443,389) as an OR statement

Example you have a rule that has Application: web-browsing, AND Service has ports: 80,443,1300 what this means is your web browsing will be allowed on either port 80 OR port 443 OR port 1300

The way you want it where you want to restrict each application to specific ports (be it default or any other) you should have three different rules one for each application/service pair.

Hope this helps

Re: Service Objects and multiple ports

mikand — Thu, 05 Apr 2012 18:41:36 GMT

So this means that if you setup service:default-service and have 2 or more applications all applications in the same security rule can use each other ports?

Because one can get the impression that if you setup:

appid: app1,app2

service: port1,port2

then of course app1 can use both port1 and port2.

But when setting it up as:

appid: app1, app2

service: default

at least I would imagine (at first) that app1 can only use its own default ports (lets say port1) and app2 can only use whatever default ports it got assigned (lets say port2).

What are the odds that if one file this as a feature request (lock each app to its own serviceports) that it can be fixed (of course one can file any feature request but its also good to know the probability that it can be fixed aswell)?