Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-07-2018 02:04 AM - edited 03-07-2018 05:53 AM
Hi All, we are trying to implement a security profile to block port 445.
Universal, source any/any, dest any/any, application unchecked, service port 445.
The profile is near the top of the list of profiles (above the outbound traffic profile).
For reasons unknown we are still seeing entries in the traffic log when we filter on:-
( port.dst eq 445 ) and ( action eq allow )
Sec Profile below:-
Line8
"Port Blocks" {
from any;
source any;
source-region none;
to any;
destination any;
destination-region none;
user any;
category any;
application/service any/tcp/445/445;
action deny;
icmp-unreachable: no
terminal no;
}
Line 53 (Outbound Traffic)
"L3-MPLS to L3-Untrust" {
from L3-MPLS-Trust;
source any;
source-region none;
to L3-Untrust;
destination any;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}
Traffic logs below.
Session ID | 33850521 |
Action | allow |
Action Source | from-policy |
Application | ms-ds-smb-base |
Rule | L3-MPLS-Trust to L3-Untrust |
Session End Reason | tcp-fin |
Category | any |
Virtual System |
Device SN |
IP Protocol | tcp |
Log Action | LFP-Default |
Generated Time | 2018/03/07 10:14:04 |
Start Time | 2018/03/07 10:13:47 |
Receive Time | 2018/03/07 10:14:04 |
Elapsed Time(sec) | 15 |
User |
Address | 10.48.237.205 |
Country | 10.0.0.0-10.255.255.255 |
Port | 59165 |
Zone | L3-MPLS-Trust |
Interface | ethernet1/1 |
User |
Address | 191.5.106.238 |
Country | Brazil |
Port | 445 |
Zone | L3-Untrust |
Interface | ethernet1/12.100 |
NAT IP | 191.5.106.238 |
NAT Port | 445 |
Can anyone please suggest what we have overlooked?
03-07-2018 06:04 AM - edited 03-07-2018 06:06 AM
I'm not used to looking at this from the CLI, so forgive me if I have this incorrect, but it looks like your service you've configured for TCP 445 is looking for source AND destination 445?
If you'll notice, your source in your logs is coming from a different port. I'm guessing this is why you aren't matching. I'd try modifying the TCP 445 service to only include destination port (leave source port blank) and see if that works.
*edit* A destination only service would look something like: any/tcp/any/445
03-07-2018 06:40 AM
@jsalmans is currect, the rule that you have listed wouldn't match because you wouldn't have a source port of 445 as specified. One would usually just look for the destination port of 445 if this is something that you are looking to do. That would look like this to actually get it to build out currectly from the CLI.
configure set rulebase security rules "Port Block" from any source any to any destination any application any service tcp-445 action deny icmp-unreachable no move rulebase security rules "Port Block" before "L3-MPLS to L3-Untrust" delete rulebase security rules "Port Blocks"
This would get rid of the malformed "Port Blocks" rule, configure a proper "Port Block" policy (assumes that the service configured is tcp-445), moves the new "Port Block" rule above your "L3-MPLS to Untrust" rule.
03-07-2018 05:38 AM
It looks like you've posted a traffic log but can you also post some screencaps of the rules involved? Both the "L3-MPLS-Trust to L3-Untrust" as well as the rule you've put in place to block 445.
03-07-2018 05:53 AM
Hi - Original post updated, thanks
03-07-2018 06:04 AM - edited 03-07-2018 06:06 AM
I'm not used to looking at this from the CLI, so forgive me if I have this incorrect, but it looks like your service you've configured for TCP 445 is looking for source AND destination 445?
If you'll notice, your source in your logs is coming from a different port. I'm guessing this is why you aren't matching. I'd try modifying the TCP 445 service to only include destination port (leave source port blank) and see if that works.
*edit* A destination only service would look something like: any/tcp/any/445
03-07-2018 06:40 AM
@jsalmans is currect, the rule that you have listed wouldn't match because you wouldn't have a source port of 445 as specified. One would usually just look for the destination port of 445 if this is something that you are looking to do. That would look like this to actually get it to build out currectly from the CLI.
configure set rulebase security rules "Port Block" from any source any to any destination any application any service tcp-445 action deny icmp-unreachable no move rulebase security rules "Port Block" before "L3-MPLS to L3-Untrust" delete rulebase security rules "Port Blocks"
This would get rid of the malformed "Port Blocks" rule, configure a proper "Port Block" policy (assumes that the service configured is tcp-445), moves the new "Port Block" rule above your "L3-MPLS to Untrust" rule.
03-07-2018 12:22 PM - edited 03-07-2018 12:23 PM
@jsalmans, @BPry
That's fixed it, thank you both. Great help.
It makes perfect sense now I have seen my mistake!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
