tcp/dynamic port range

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

tcp/dynamic port range

L2 Linker

I'm looking for a definitive answer on what port range "tcp/dynamic" and "udp/dynamic" uses. I would figure that it is 49152-65535, but I have not been able to locate anything in documentation or the community to confirm this. 

1 accepted solution

Accepted Solutions

@nsendelbac,

This is due to the fact that any app-id can be made up of many different actual signatures, which all have different conditional criteria assigned to them. So looking at the App Store example downloading for instance will use a set signature and happen over dynamic ports, but browsing may happen over standard 443 and use a set signature for that identification.

One app-id doesn't necissarily mean only one signature is being utilized, and through conditional statements they can limit a signature to only identify under set ports listed within the app-id itself. 

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite
afaik it means 'all ports' but in relation to "application-default" port settings; it allows the same custom app to use different ports for individual flows
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks for the reply. If dynamic refered to all ports, that would not explain why many apps have specific ports listed, as well as tcp/udp dynamic. If dynamic covered all ports, it would be redundant to include others in the same app. 

e.g.

Access-grid                 tcp/80,8000,20000,20200,dynamic, udp/dynamic

apple-appstore            tcp/80,443,dynamic

baidu-hi-base              tcp/443,80,6453,dynamic, udp/2400,2500,dynamic

avaya-webalive-base  tcp/dynamic, udp/7878,2379

condor                         tcp/dynamic, udp/9600-9700

 

Since for each app some ports are explicitly listed and others are dynamic it makes me think that the dynamic range is a common range that an app could select a port from, such as 49152-65535. I believe that the app was observed using the specified ports each session, but different random port(s) established per session as well, from an upper-range that could be 49152-65535 or even 32768-61000. 

 

I wonder why there's nothing in the documentation that covers this topic. 

I set up a test and found out a custom App-ID containing tcp/udp dynamic, and a signature looking for user-agents, will match on traffic on destination ports below 1024, 80 and 443 in this case. So it seems that dynamic refers to all ports. The question now is why the apps I mentioned specify specific ports AND a tcp/dynamic port reference at the same time, if dynamic means all ports? Doesn't make sense. 

@nsendelbac,

This is due to the fact that any app-id can be made up of many different actual signatures, which all have different conditional criteria assigned to them. So looking at the App Store example downloading for instance will use a set signature and happen over dynamic ports, but browsing may happen over standard 443 and use a set signature for that identification.

One app-id doesn't necissarily mean only one signature is being utilized, and through conditional statements they can limit a signature to only identify under set ports listed within the app-id itself. 

  • 1 accepted solution
  • 11866 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!