This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

tcp/dynamic port range

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

tcp/dynamic port range

Go to solution
nsendelbac
L2 Linker

‎07-10-2019 12:13 PM

I'm looking for a definitive answer on what port range "tcp/dynamic" and "udp/dynamic" uses. I would figure that it is 49152-65535, but I have not been able to locate anything in documentation or the community to confirm this. 

0 Likes Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to nsendelbac

‎07-18-2019 09:29 AM

@nsendelbac,

This is due to the fact that any app-id can be made up of many different actual signatures, which all have different conditional criteria assigned to them. So looking at the App Store example downloading for instance will use a set signature and happen over dynamic ports, but browsing may happen over standard 443 and use a set signature for that identification.

One app-id doesn't necissarily mean only one signature is being utilized, and through conditional statements they can limit a signature to only identify under set ports listed within the app-id itself. 

View solution in original post

4 REPLIES 4

Go to solution
reaper
Cyber Elite
Cyber Elite

‎07-15-2019 07:09 AM

afaik it means 'all ports' but in relation to "application-default" port settings; it allows the same custom app to use different ports for individual flows
Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy

Go to solution
nsendelbac
L2 Linker
In response to reaper

‎07-15-2019 11:39 AM

Thanks for the reply. If dynamic refered to all ports, that would not explain why many apps have specific ports listed, as well as tcp/udp dynamic. If dynamic covered all ports, it would be redundant to include others in the same app. 

e.g.

Access-grid                 tcp/80,8000,20000,20200,dynamic, udp/dynamic

apple-appstore            tcp/80,443,dynamic

baidu-hi-base              tcp/443,80,6453,dynamic, udp/2400,2500,dynamic

avaya-webalive-base  tcp/dynamic, udp/7878,2379

condor                         tcp/dynamic, udp/9600-9700

 

Since for each app some ports are explicitly listed and others are dynamic it makes me think that the dynamic range is a common range that an app could select a port from, such as 49152-65535. I believe that the app was observed using the specified ports each session, but different random port(s) established per session as well, from an upper-range that could be 49152-65535 or even 32768-61000. 

 

I wonder why there's nothing in the documentation that covers this topic. 

0 Likes Likes

Go to solution
nsendelbac
L2 Linker
In response to nsendelbac

‎07-18-2019 07:23 AM

I set up a test and found out a custom App-ID containing tcp/udp dynamic, and a signature looking for user-agents, will match on traffic on destination ports below 1024, 80 and 443 in this case. So it seems that dynamic refers to all ports. The question now is why the apps I mentioned specify specific ports AND a tcp/dynamic port reference at the same time, if dynamic means all ports? Doesn't make sense. 

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to nsendelbac

‎07-18-2019 09:29 AM

@nsendelbac,

This is due to the fact that any app-id can be made up of many different actual signatures, which all have different conditional criteria assigned to them. So looking at the App Store example downloading for instance will use a set signature and happen over dynamic ports, but browsing may happen over standard 443 and use a set signature for that identification.

One app-id doesn't necissarily mean only one signature is being utilized, and through conditional statements they can limit a signature to only identify under set ports listed within the app-id itself. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks