07-10-2019 12:13 PM
I'm looking for a definitive answer on what port range "tcp/dynamic" and "udp/dynamic" uses. I would figure that it is 49152-65535, but I have not been able to locate anything in documentation or the community to confirm this.
07-18-2019 09:29 AM
This is due to the fact that any app-id can be made up of many different actual signatures, which all have different conditional criteria assigned to them. So looking at the App Store example downloading for instance will use a set signature and happen over dynamic ports, but browsing may happen over standard 443 and use a set signature for that identification.
One app-id doesn't necissarily mean only one signature is being utilized, and through conditional statements they can limit a signature to only identify under set ports listed within the app-id itself.
07-15-2019 07:09 AM
07-15-2019 11:39 AM
Thanks for the reply. If dynamic refered to all ports, that would not explain why many apps have specific ports listed, as well as tcp/udp dynamic. If dynamic covered all ports, it would be redundant to include others in the same app.
e.g.
Access-grid tcp/80,8000,20000,20200,dynamic, udp/dynamic
apple-appstore tcp/80,443,dynamic
baidu-hi-base tcp/443,80,6453,dynamic, udp/2400,2500,dynamic
avaya-webalive-base tcp/dynamic, udp/7878,2379
condor tcp/dynamic, udp/9600-9700
Since for each app some ports are explicitly listed and others are dynamic it makes me think that the dynamic range is a common range that an app could select a port from, such as 49152-65535. I believe that the app was observed using the specified ports each session, but different random port(s) established per session as well, from an upper-range that could be 49152-65535 or even 32768-61000.
I wonder why there's nothing in the documentation that covers this topic.
07-18-2019 07:23 AM
I set up a test and found out a custom App-ID containing tcp/udp dynamic, and a signature looking for user-agents, will match on traffic on destination ports below 1024, 80 and 443 in this case. So it seems that dynamic refers to all ports. The question now is why the apps I mentioned specify specific ports AND a tcp/dynamic port reference at the same time, if dynamic means all ports? Doesn't make sense.
07-18-2019 09:29 AM
This is due to the fact that any app-id can be made up of many different actual signatures, which all have different conditional criteria assigned to them. So looking at the App Store example downloading for instance will use a set signature and happen over dynamic ports, but browsing may happen over standard 443 and use a set signature for that identification.
One app-id doesn't necissarily mean only one signature is being utilized, and through conditional statements they can limit a signature to only identify under set ports listed within the app-id itself.
06-04-2024 03:14 PM - edited 06-04-2024 03:14 PM
Short of any specific documentation, I would say it is 1024–65535, which is the broadest amalgamation of 32768-61000 (Linux), 49152-65535 (IANA, Windows, BSD), 1024-5000 (old BSD), 1025-60000 (old Windows).
In our environment (OT, no Internet), we change Linux to use the IANA ephemeral range and only have modern OSes. We do not allow any systems to bind to the ephemeral range, so any listening services will always be below 49152 (and typically below 1024). We define Services for everything and do not allow the "application-default" or "any". One advantage to having narrowly defined Services is that there is no need to even allow the initial packet(s) required for PA to discover the App-ID and then block it; if the port isn't within the explicitly defined Service, it never is allowed. This is more work/overhead, but is the most secure approach. We only have 2 types of policy rules that have the ephemeral port range in use: those related to Microsoft Windows with App-IDs ms-wmi and msrpc-base (which list "dynamic" as their ports).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
