Service Objects and multiple ports

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Service Objects and multiple ports

L2 Linker

I have the need to create a rule with three applications, ncp, ms-update and ssl.  Two of those applications use their standard ports - ncp (524) and ms-update (80 & 443).  The ssl application uses port 13000 - not the standard 443.

  1. If I create a single service object using ports 542,80,443,13000 and use this service object in the rule, can all three applications use any of those ports? 
  2. If I create a service object for each application and put the service objects in a service group, then add the service group to the rule as follows:
    • service-ncp: port 524
    • service-ms-update: ports 80,442
    • service-ssl: port 13000
    • service-group: service-ncp,service-ms-update,service-ssl

Does this limit each application to the specific ports defined within the service object?

My goal is to be very deterministic (we don't need to discuss religious arguments as to my sanity) in my rules - meaning, I want to know and control applications and the ports they use whenever possible and when it makes sense.  What I don't want is cross-talking, in this example, this rule allowing ms-update over port 13000.

Thanks for your feedback

4 REPLIES 4

L6 Presenter

You would need to setup three different security rules similar to (I have exluded src/dstip to make it fewer lines in this example):

rule1)

appid:ncp

service:TCP524

rule2)

appid:ms-update

service:TCP80,TCP443

rule3)

appid:ssl

service:TCP13000

Yes, I understand that I could do three different security policies, two of which would use 'application-default' as the service type.  If a service group allows an application, or a group of applications, to use any of the ports defined within the service group, I'm wondering what the benefit is with using a service group.  My ideal scenario is to

  1. great an application group
  2. put the three applications in the group
  3. create a service object for each application
  4. create a service group
  5. put the three service objects in the service group

The rule matches ncp over port 524 (only), ms-update over port 80, 443 (only) ssl over port (13000).

I guess I'm not understanding how a service group works.

If you clump the service ports in a service group, the application will be able to use any of those and not be restricted to application+port as you want.

Read each security policy left to right as a series of AND statements. and within the field (eg. service: 80,443,389) as an OR statement

Example you have a rule that has Application: web-browsing, AND Service has ports: 80,443,1300 what this means is your web browsing will be allowed on either port 80 OR port 443 OR port 1300

The way you want it where you want to restrict each application to specific ports (be it default or any other) you should have three different rules one for each application/service pair.

Hope this helps

So this means that if you setup service:default-service and have 2 or more applications all applications in the same security rule can use each other ports?

Because one can get the impression that if you setup:

appid: app1,app2

service: port1,port2

then of course app1 can use both port1 and port2.

But when setting it up as:

appid: app1, app2

service: default

at least I would imagine (at first) that app1 can only use its own default ports (lets say port1) and app2 can only use whatever default ports it got assigned (lets say port2).

What are the odds that if one file this as a feature request (lock each app to its own serviceports) that it can be fixed (of course one can file any feature request but its also good to know the probability that it can be fixed aswell)?

  • 3192 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!