Urgent - Port Block Help

Reply
Highlighted
L1 Bithead

Urgent - Port Block Help

Hi All, we are trying to implement a security profile to block port 445. 

Universal, source any/any, dest any/any, application unchecked, service port 445.

The profile is near the top of the list of profiles (above the outbound traffic profile).

For reasons unknown we are still seeing entries in the traffic log when we filter on:-

( port.dst eq 445 ) and ( action eq allow )

 

Sec Profile below:-

 

Line8

"Port Blocks" {
from any;
source any;
source-region none;
to any;
destination any;
destination-region none;
user any;
category any;
application/service any/tcp/445/445;
action deny;
icmp-unreachable: no
terminal no;
}

 

 

Line 53 (Outbound Traffic)

"L3-MPLS to L3-Untrust" {
from L3-MPLS-Trust;
source any;
source-region none;
to L3-Untrust;
destination any;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

 

 

 

 

Traffic logs below.

 

General
Session ID
33850521
Action
allow
Action Source
from-policy
Application
ms-ds-smb-base
Rule
L3-MPLS-Trust to L3-Untrust
Session End Reason
tcp-fin
Category
any
Virtual System
 
Device SN
 
IP Protocol
tcp
Log Action
LFP-Default
Generated Time
2018/03/07 10:14:04
Start Time
2018/03/07 10:13:47
Receive Time
2018/03/07 10:14:04
Elapsed Time(sec)
15
 
 
 
Source
User
 
Address
10.48.237.205
Country
10.0.0.0-10.255.255.255
Port
59165
Zone
L3-MPLS-Trust
Interface
ethernet1/1

 

 

Destination
User
 
Address
191.5.106.238
Country
Brazil
Port
445
Zone
L3-Untrust
Interface
ethernet1/12.100
NAT IP
191.5.106.238
NAT Port
445

 

 

Can anyone please suggest what we have overlooked?


Accepted Solutions
Highlighted
L4 Transporter

I'm not used to looking at this from the CLI, so forgive me if I have this incorrect, but it looks like your service you've configured for TCP 445 is looking for source AND destination 445?

 

If you'll notice, your source in your logs is coming from a different port.  I'm guessing this is why you aren't matching.  I'd try modifying the TCP 445 service to only include destination port (leave source port blank) and see if that works.

 

*edit* A destination only service would look something like:   any/tcp/any/445

View solution in original post

Highlighted
Cyber Elite

@sorrell,

@jsalmans is currect, the rule that you have listed wouldn't match because you wouldn't have a source port of 445 as specified. One would usually just look for the destination port of 445 if this is something that you are looking to do. That would look like this to actually get it to build out currectly from the CLI. 

configure
set rulebase security rules "Port Block" from any source any to any destination any application any service tcp-445 action deny icmp-unreachable no 
move rulebase security rules "Port Block" before "L3-MPLS to L3-Untrust" 
delete rulebase security rules "Port Blocks" 

This would get rid of the malformed "Port Blocks" rule, configure a proper "Port Block" policy (assumes that the service configured is tcp-445), moves the new "Port Block" rule above your "L3-MPLS to Untrust" rule. 

View solution in original post


All Replies
Highlighted
L4 Transporter

It looks like you've posted a traffic log but can you also post some screencaps of the rules involved?  Both the "L3-MPLS-Trust to L3-Untrust" as well as the rule you've put in place to block 445.

Highlighted
L1 Bithead

Hi - Original post updated, thanks

Highlighted
L4 Transporter

I'm not used to looking at this from the CLI, so forgive me if I have this incorrect, but it looks like your service you've configured for TCP 445 is looking for source AND destination 445?

 

If you'll notice, your source in your logs is coming from a different port.  I'm guessing this is why you aren't matching.  I'd try modifying the TCP 445 service to only include destination port (leave source port blank) and see if that works.

 

*edit* A destination only service would look something like:   any/tcp/any/445

View solution in original post

Highlighted
Cyber Elite

@sorrell,

@jsalmans is currect, the rule that you have listed wouldn't match because you wouldn't have a source port of 445 as specified. One would usually just look for the destination port of 445 if this is something that you are looking to do. That would look like this to actually get it to build out currectly from the CLI. 

configure
set rulebase security rules "Port Block" from any source any to any destination any application any service tcp-445 action deny icmp-unreachable no 
move rulebase security rules "Port Block" before "L3-MPLS to L3-Untrust" 
delete rulebase security rules "Port Blocks" 

This would get rid of the malformed "Port Blocks" rule, configure a proper "Port Block" policy (assumes that the service configured is tcp-445), moves the new "Port Block" rule above your "L3-MPLS to Untrust" rule. 

View solution in original post

Highlighted
L1 Bithead

@jsalmans, @BPry

 

That's fixed it, thank you both. Great help.

It makes perfect sense now I have seen my mistake!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!