topic Re: Urgent - Port Block Help in General Topics

Urgent - Port Block Help

sorrell — Wed, 07 Mar 2018 13:53:15 GMT

Hi All, we are trying to implement a security profile to block port 445.

Universal, source any/any, dest any/any, application unchecked, service port 445.

The profile is near the top of the list of profiles (above the outbound traffic profile).

For reasons unknown we are still seeing entries in the traffic log when we filter on:-

( port.dst eq 445 ) and ( action eq allow )

Sec Profile below:-

Line8

"Port Blocks" {
from any;
source any;
source-region none;
to any;
destination any;
destination-region none;
user any;
category any;
application/service any/tcp/445/445;
action deny;
icmp-unreachable: no
terminal no;
}

Line 53 (Outbound Traffic)

"L3-MPLS to L3-Untrust" {
from L3-MPLS-Trust;
source any;
source-region none;
to L3-Untrust;
destination any;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

Traffic logs below.

General

Session ID

33850521

Action

allow

Action Source

from-policy

Application

ms-ds-smb-base

Rule	L3-MPLS-Trust to L3-Untrust

Session End Reason

tcp-fin

Re: Urgent - Port Block Help

jsalmans — Wed, 07 Mar 2018 13:38:11 GMT

It looks like you've posted a traffic log but can you also post some screencaps of the rules involved? Both the "L3-MPLS-Trust to L3-Untrust" as well as the rule you've put in place to block 445.

Re: Urgent - Port Block Help

sorrell — Wed, 07 Mar 2018 13:53:49 GMT

Hi - Original post updated, thanks

Re: Urgent - Port Block Help

jsalmans — Wed, 07 Mar 2018 14:06:25 GMT

I'm not used to looking at this from the CLI, so forgive me if I have this incorrect, but it looks like your service you've configured for TCP 445 is looking for source AND destination 445?

If you'll notice, your source in your logs is coming from a different port. I'm guessing this is why you aren't matching. I'd try modifying the TCP 445 service to only include destination port (leave source port blank) and see if that works.

*edit* A destination only service would look something like: any/tcp/any/445

Re: Urgent - Port Block Help

BPry — Wed, 07 Mar 2018 14:40:47 GMT

@sorrell,

@jsalmans is currect, the rule that you have listed wouldn't match because you wouldn't have a source port of 445 as specified. One would usually just look for the destination port of 445 if this is something that you are looking to do. That would look like this to actually get it to build out currectly from the CLI.

configure
set rulebase security rules "Port Block" from any source any to any destination any application any service tcp-445 action deny icmp-unreachable no 
move rulebase security rules "Port Block" before "L3-MPLS to L3-Untrust" 
delete rulebase security rules "Port Blocks"

This would get rid of the malformed "Port Blocks" rule, configure a proper "Port Block" policy (assumes that the service configured is tcp-445), moves the new "Port Block" rule above your "L3-MPLS to Untrust" rule.

Re: Urgent - Port Block Help

sorrell — Wed, 07 Mar 2018 20:23:23 GMT

@jsalmans, @BPry

That's fixed it, thank you both. Great help.

It makes perfect sense now I have seen my mistake!