Applications On Non-Standard Ports

Reply
Highlighted
L2 Linker

Applications On Non-Standard Ports

It's perfectly possible I'm being unusually dumb here, but I can't see an elegant way of allowing application usage on non-standard ports - for example ssh on tcp/32777. The obvious way of doing it is to allow a rule that allows appid:ssh on service:ssh-ports (being a service group consisting of tcp/22 and tcp/32777). 

 

That works fine, but is rather clumsy when you have a rule that has thousands of applications with service set to "application default" (you end up with dozens of rules to cope with all the non-standard ports).

 

I looked to see if you can change the 'application-default' for an application to add custom port numbers.

 

I've tried creating a custom application which is tcp/32777 and a parent application of 'ssh'. Doesn't seem to work.

 

Am I missing something obvious? Or am I not trying hard enough with the custom application rule?


Accepted Solutions
Highlighted
L4 Transporter

Re: Applications On Non-Standard Ports

Hi Mike,

 

I think the best thing to do in this situation, if you want to allow non-standard ports, is to create separate rules for them so you allow SSH & service tcp 32777. You can apply content-ID & user-ID to make sure the traffic isn't dodgy (as long as decryption is enabled for SSH) and lock down the users so that only the required people can use this port for SSH.

 

hope this helps!

Ben

 

View solution in original post


All Replies
Highlighted
L4 Transporter

Re: Applications On Non-Standard Ports

Hi Mike,

 

I think the best thing to do in this situation, if you want to allow non-standard ports, is to create separate rules for them so you allow SSH & service tcp 32777. You can apply content-ID & user-ID to make sure the traffic isn't dodgy (as long as decryption is enabled for SSH) and lock down the users so that only the required people can use this port for SSH.

 

hope this helps!

Ben

 

View solution in original post

Highlighted
L3 Networker

Re: Applications On Non-Standard Ports

> I agree with bmorris1 and I don't think you will be able to add the custom app as a part of application-default group

Highlighted
L2 Linker

Re: Applications On Non-Standard Ports

Thanks.

 

That's pretty much the solution I've used. I just wanted to know if I was missing something obvious.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!