topic Re: tcp/dynamic port range in General Topics

tcp/dynamic port range

nsendelbac — Wed, 10 Jul 2019 19:13:01 GMT

I'm looking for a definitive answer on what port range "tcp/dynamic" and "udp/dynamic" uses. I would figure that it is 49152-65535, but I have not been able to locate anything in documentation or the community to confirm this.

Re: tcp/dynamic port range

reaper — Mon, 15 Jul 2019 14:09:29 GMT

afaik it means 'all ports' but in relation to "application-default" port settings; it allows the same custom app to use different ports for individual flows

Re: tcp/dynamic port range

nsendelbac — Mon, 15 Jul 2019 18:39:39 GMT

Thanks for the reply. If dynamic refered to all ports, that would not explain why many apps have specific ports listed, as well as tcp/udp dynamic. If dynamic covered all ports, it would be redundant to include others in the same app.

e.g.

Access-grid tcp/80,8000,20000,20200,dynamic, udp/dynamic

apple-appstore tcp/80,443,dynamic

baidu-hi-base tcp/443,80,6453,dynamic, udp/2400,2500,dynamic

avaya-webalive-base tcp/dynamic, udp/7878,2379

condor tcp/dynamic, udp/9600-9700

Since for each app some ports are explicitly listed and others are dynamic it makes me think that the dynamic range is a common range that an app could select a port from, such as 49152-65535. I believe that the app was observed using the specified ports each session, but different random port(s) established per session as well, from an upper-range that could be 49152-65535 or even 32768-61000.

I wonder why there's nothing in the documentation that covers this topic.

Re: tcp/dynamic port range

nsendelbac — Thu, 18 Jul 2019 14:23:54 GMT

I set up a test and found out a custom App-ID containing tcp/udp dynamic, and a signature looking for user-agents, will match on traffic on destination ports below 1024, 80 and 443 in this case. So it seems that dynamic refers to all ports. The question now is why the apps I mentioned specify specific ports AND a tcp/dynamic port reference at the same time, if dynamic means all ports? Doesn't make sense.

Re: tcp/dynamic port range

BPry — Thu, 18 Jul 2019 16:29:42 GMT

@nsendelbac,

This is due to the fact that any app-id can be made up of many different actual signatures, which all have different conditional criteria assigned to them. So looking at the App Store example downloading for instance will use a set signature and happen over dynamic ports, but browsing may happen over standard 443 and use a set signature for that identification.

One app-id doesn't necissarily mean only one signature is being utilized, and through conditional statements they can limit a signature to only identify under set ports listed within the app-id itself.

Re: tcp/dynamic port range

jasonroy — Tue, 04 Jun 2024 22:14:51 GMT

Short of any specific documentation, I would say it is 1024–65535, which is the broadest amalgamation of 32768-61000 (Linux), 49152-65535 (IANA, Windows, BSD), 1024-5000 (old BSD), 1025-60000 (old Windows).

In our environment (OT, no Internet), we change Linux to use the IANA ephemeral range and only have modern OSes. We do not allow any systems to bind to the ephemeral range, so any listening services will always be below 49152 (and typically below 1024). We define Services for everything and do not allow the "application-default" or "any". One advantage to having narrowly defined Services is that there is no need to even allow the initial packet(s) required for PA to discover the App-ID and then block it; if the port isn't within the explicitly defined Service, it never is allowed. This is more work/overhead, but is the most secure approach. We only have 2 types of policy rules that have the ephemeral port range in use: those related to Microsoft Windows with App-IDs ms-wmi and msrpc-base (which list "dynamic" as their ports).