Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Václav_Brožík
Contributor

Management API: service object port value syntax not documented completely

Jump to solution

The predefined service-tcp and service-udp objects on the Security Management do not use only plain integer numbers for the port property. They use also:

  • ranges like: "18190-19191"
  • greater than operator like: ">1023"

Unfortunately the documentation is incomplete and it describes only plain numbers and ranges:

Where is the greater than operator documented? What is the complete syntax of the port number property? Are all the INSPECT language operators supported? (<, <=, >, >=, !=)

Here is an example of service-tcp with the greater-than operator:

> show service-tcp name tcp-high-ports

uid: "97aeb3dd-9aea-11d5-bd16-0090272ccb30"
name: "tcp-high-ports"
type: "service-tcp"
domain: 
  uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
  name: "Check Point Data"
  domain-type: "data domain"
port: ">1023"
match-by-protocol-signature: false
override-default-settings: false
session-timeout: 3600
use-default-session-timeout: true
match-for-any: false
sync-connections-on-cluster: true
aggressive-aging: 
  enable: true
  timeout: 600
  use-default-timeout: true
  default-timeout: 0
keep-connections-open-after-policy-installation: false
groups: []
comments: "TCP Ports 1024-65535"
color: "yellow"
icon: "Services/TCPService"
tags: []
meta-info: 
  lock: "unlocked"
  validation-state: "ok"
  last-modify-time: 
    posix: 1598366251916
    iso-8601: "2020-08-25T16:37+0200"
  last-modifier: "System"
  creation-time: 
    posix: 1598366251916
    iso-8601: "2020-08-25T16:37+0200"
  creator: "System"
read-only: false

 

1 Solution

Accepted Solutions
Bob_Zimmerman
Advisor

Not sure where it's documented, but it's really quick to test:

[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "<1023" | wc -l
45
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "<=1023" | wc -l
7
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port ">1023" | wc -l
45
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port ">=1023" | wc -l
7
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "!=1023" | wc -l
7
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "!=1023"        
{
  "code" : "err_validation_failed",
  "message" : "Validation failed with 1 blocking-error",
  "blocking-errors" : [ {
    "message" : "'Port' value is not 'any' or a valid port or port range"
  } ]
}
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "1023,1025" | wc -l
7

Looks like it only allows < or > as prefixes. No <=, >=, or !=. I think < and > are technically considered single-ended ranges (where the 0 or 65535 is implied). Not sure why <= and >= wouldn't work, but it's not hard to just change the port number by one.

!= would create a discontiguous range, which I also tested with the comma case at the end. Evidently ranges must be contiguous.

View solution in original post

4 Replies
Bob_Zimmerman
Advisor

Not sure where it's documented, but it's really quick to test:

[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "<1023" | wc -l
45
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "<=1023" | wc -l
7
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port ">1023" | wc -l
45
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port ">=1023" | wc -l
7
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "!=1023" | wc -l
7
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "!=1023"        
{
  "code" : "err_validation_failed",
  "message" : "Validation failed with 1 blocking-error",
  "blocking-errors" : [ {
    "message" : "'Port' value is not 'any' or a valid port or port range"
  } ]
}
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "1023,1025" | wc -l
7

Looks like it only allows < or > as prefixes. No <=, >=, or !=. I think < and > are technically considered single-ended ranges (where the 0 or 65535 is implied). Not sure why <= and >= wouldn't work, but it's not hard to just change the port number by one.

!= would create a discontiguous range, which I also tested with the comma case at the end. Evidently ranges must be contiguous.

View solution in original post

PhoneBoy
Admin
Admin

It’s true that the values for port number have their basis in INSPECT.
However, I’ve never seen formal documentation for what can be in the port number.
Have to admit, I didn’t know about the ports separated by commas one.

0 Kudos
Bob_Zimmerman
Advisor

I had never actually seen ports separated by commas, it just made sense as another thing worth trying. Numbers separated by a dash makes a contiguous range, so could you do "21,1024-2048" to include multiple blocks of ports with gaps between them? Turns out no.

0 Kudos
PhoneBoy
Admin
Admin

I believe that works in SMB appliances (the ports separated by commas), just never thought to try it in regular gateways 🙂

0 Kudos