topic Re: Firewall rule for any tcp and udp port in Firewall and Security Management

Firewall rule for any tcp and udp port

Chauhanrht8 — Fri, 23 Aug 2019 00:05:42 GMT

How can we create a service for Any tcp and UDP ports.

Port should be- Any

And protocol should be - TCP and UDP ??

Re: Firewall rule for any tcp and udp port

Maik — Fri, 23 Aug 2019 11:48:00 GMT

Not sure why you would want to do this, but create a group and insert a tcp and udp object.

Each object respectively contains the port range of 1-65535 or just "any" and you are good to go.

Re: Firewall rule for any tcp and udp port

Danny — Fri, 23 Aug 2019 15:52:36 GMT

* Any also matches for applications and not just TCP/UDP ports as requested.

Therefore just create a new tcp_any and udp_any object >0, uncheck Match for Any and use these in your rule.

Example:

How To Describe "Any Application"

Matching unknown traffic

Re: Firewall rule for any tcp and udp port

Maik — Fri, 23 Aug 2019 12:07:51 GMT

Hey,

I was not writing about "any" in the typical way of "any" in the service column. With any I meant to write "any" in the TCP or UDP objects itself. "Any" or 1-65535 should end up with the same functionality, doesn't it?

Re: Firewall rule for any tcp and udp port

-TJ- — Fri, 23 Aug 2019 13:55:26 GMT

You may want to be sure to uncheck the 'match for any' in the service properties. I expect you will receive the warning that service objects may inherit that change.

See sk150553 for an example.

The idea sort of negates having a firewall though. I assume you likely have a good reason.

Re: Firewall rule for any tcp and udp port

HeikoAnkenbrand — Fri, 23 Aug 2019 14:18:35 GMT

Hi @Chauhanrht8

Creat two new services with a port range from 1 to 65535 for udp service and tcp service.

Set no protocol in protocol field and don't use ‚match for any‘.

Now add this two new services to your rule.

TCP_ANY:

Port: 1-65535

Match for any: no

Protocol: none

UDP_ANY:

Port: 1-65535

Match for any: no

Protocol: none

Re: Firewall rule for any tcp and udp port

Chauhanrht8 — Sat, 24 Aug 2019 15:33:58 GMT

Hello @HeikoAnken,
Thanks for the information.

Re: Firewall rule for any tcp and udp port

sajj — Mon, 27 Jan 2020 17:30:37 GMT

Hi,

What is the use case to have Protocol = NONE ?

Why 2 separate services are proposed (TCP_ANY and UDP_ANY) though the meaning is same as we are not using any protocol ? Is it only for more readability ?

What will be behavior of checkpoint firewalls if do not choose Protocol = None ? Because Source IP will choose either TCP or UDP for communication.

Regards,

Sajjad

Re: Firewall rule for any tcp and udp port

Maarten_Sjouw — Tue, 28 Jan 2020 06:25:00 GMT

Protocol None is for the applications like FTP, H323 etc.
Why you want only TCP and UDP is that you don't want to allow all other protocols like GRE and IPSEC, which are neither TCP nor UDP.

Re: Firewall rule for any tcp and udp port

sajj — Tue, 28 Jan 2020 14:32:43 GMT

Thanks.

So it means any protocol (like TCP, UDP , GRE, IPSec, etc.) under IP-Protocol will be considered, it is like everything.

Re: Firewall rule for any tcp and udp port

Maarten_Sjouw — Tue, 28 Jan 2020 14:45:36 GMT

Any will allow all, while the 2 TCP and UDP (all ports) will not allow other protocols than TCP or UDP.