04-02-2012 02:16 PM
I have the need to create a rule with three applications, ncp, ms-update and ssl. Two of those applications use their standard ports - ncp (524) and ms-update (80 & 443). The ssl application uses port 13000 - not the standard 443.
Does this limit each application to the specific ports defined within the service object?
My goal is to be very deterministic (we don't need to discuss religious arguments as to my sanity) in my rules - meaning, I want to know and control applications and the ports they use whenever possible and when it makes sense. What I don't want is cross-talking, in this example, this rule allowing ms-update over port 13000.
Thanks for your feedback
04-02-2012 02:51 PM
You would need to setup three different security rules similar to (I have exluded src/dstip to make it fewer lines in this example):
rule1)
appid:ncp
service:TCP524
rule2)
appid:ms-update
service:TCP80,TCP443
rule3)
appid:ssl
service:TCP13000
04-03-2012 08:48 AM
Yes, I understand that I could do three different security policies, two of which would use 'application-default' as the service type. If a service group allows an application, or a group of applications, to use any of the ports defined within the service group, I'm wondering what the benefit is with using a service group. My ideal scenario is to
The rule matches ncp over port 524 (only), ms-update over port 80, 443 (only) ssl over port (13000).
I guess I'm not understanding how a service group works.
04-05-2012 10:56 AM
If you clump the service ports in a service group, the application will be able to use any of those and not be restricted to application+port as you want.
Read each security policy left to right as a series of AND statements. and within the field (eg. service: 80,443,389) as an OR statement
Example you have a rule that has Application: web-browsing, AND Service has ports: 80,443,1300 what this means is your web browsing will be allowed on either port 80 OR port 443 OR port 1300
The way you want it where you want to restrict each application to specific ports (be it default or any other) you should have three different rules one for each application/service pair.
Hope this helps
04-05-2012 11:41 AM
So this means that if you setup service:default-service and have 2 or more applications all applications in the same security rule can use each other ports?
Because one can get the impression that if you setup:
appid: app1,app2
service: port1,port2
then of course app1 can use both port1 and port2.
But when setting it up as:
appid: app1, app2
service: default
at least I would imagine (at first) that app1 can only use its own default ports (lets say port1) and app2 can only use whatever default ports it got assigned (lets say port2).
What are the odds that if one file this as a feature request (lock each app to its own serviceports) that it can be fixed (of course one can file any feature request but its also good to know the probability that it can be fixed aswell)?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
