This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Václav_Brožík
Collaborator
‎2021-02-01 06:59 AM
Jump to solution

Management API: service object port value syntax not documented completely

The predefined service-tcp and service-udp objects on the Security Management do not use only plain integer numbers for the port property. They use also:

  • ranges like: "18190-19191"
  • greater than operator like: ">1023"

Unfortunately the documentation is incomplete and it describes only plain numbers and ranges:

Where is the greater than operator documented? What is the complete syntax of the port number property? Are all the INSPECT language operators supported? (<, <=, >, >=, !=)

Here is an example of service-tcp with the greater-than operator:

> show service-tcp name tcp-high-ports

uid: "97aeb3dd-9aea-11d5-bd16-0090272ccb30"
name: "tcp-high-ports"
type: "service-tcp"
domain: 
  uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
  name: "Check Point Data"
  domain-type: "data domain"
port: ">1023"
match-by-protocol-signature: false
override-default-settings: false
session-timeout: 3600
use-default-session-timeout: true
match-for-any: false
sync-connections-on-cluster: true
aggressive-aging: 
  enable: true
  timeout: 600
  use-default-timeout: true
  default-timeout: 0
keep-connections-open-after-policy-installation: false
groups: []
comments: "TCP Ports 1024-65535"
color: "yellow"
icon: "Services/TCPService"
tags: []
meta-info: 
  lock: "unlocked"
  validation-state: "ok"
  last-modify-time: 
    posix: 1598366251916
    iso-8601: "2020-08-25T16:37+0200"
  last-modifier: "System"
  creation-time: 
    posix: 1598366251916
    iso-8601: "2020-08-25T16:37+0200"
  creator: "System"
read-only: false

 

1 Solution

Accepted Solutions
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-02-01 11:00 AM
Jump to solution

Not sure where it's documented, but it's really quick to test:

[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "<1023" | wc -l
45
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "<=1023" | wc -l
7
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port ">1023" | wc -l
45
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port ">=1023" | wc -l
7
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "!=1023" | wc -l
7
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "!=1023"        
{
  "code" : "err_validation_failed",
  "message" : "Validation failed with 1 blocking-error",
  "blocking-errors" : [ {
    "message" : "'Port' value is not 'any' or a valid port or port range"
  } ]
}
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "1023,1025" | wc -l
7

Looks like it only allows < or > as prefixes. No <=, >=, or !=. I think < and > are technically considered single-ended ranges (where the 0 or 65535 is implied). Not sure why <= and >= wouldn't work, but it's not hard to just change the port number by one.

!= would create a discontiguous range, which I also tested with the comma case at the end. Evidently ranges must be contiguous.

View solution in original post

4 Replies
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-02-01 11:00 AM
Jump to solution

Not sure where it's documented, but it's really quick to test:

[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "<1023" | wc -l
45
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "<=1023" | wc -l
7
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port ">1023" | wc -l
45
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port ">=1023" | wc -l
7
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "!=1023" | wc -l
7
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "!=1023"        
{
  "code" : "err_validation_failed",
  "message" : "Validation failed with 1 blocking-error",
  "blocking-errors" : [ {
    "message" : "'Port' value is not 'any' or a valid port or port range"
  } ]
}
[Expert@LabSC]# mgmt_cli -s session.txt --format json set service-tcp uid "72b65d82-c1d7-4c9f-add2-906dee45d8a6" port "1023,1025" | wc -l
7

Looks like it only allows < or > as prefixes. No <=, >=, or !=. I think < and > are technically considered single-ended ranges (where the 0 or 65535 is implied). Not sure why <= and >= wouldn't work, but it's not hard to just change the port number by one.

!= would create a discontiguous range, which I also tested with the comma case at the end. Evidently ranges must be contiguous.

PhoneBoy
Admin
Admin
‎2021-02-01 11:39 AM
Jump to solution

It’s true that the values for port number have their basis in INSPECT.
However, I’ve never seen formal documentation for what can be in the port number.
Have to admit, I didn’t know about the ports separated by commas one.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-02-01 12:26 PM
In response to PhoneBoy
Jump to solution

I had never actually seen ports separated by commas, it just made sense as another thing worth trying. Numbers separated by a dash makes a contiguous range, so could you do "21,1024-2048" to include multiple blocks of ports with gaps between them? Turns out no.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-02-01 02:23 PM
In response to Bob_Zimmerman
Jump to solution

I believe that works in SMB appliances (the ports separated by commas), just never thought to try it in regular gateways 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events