Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bob_Zimmerman
Advisor

What does match-by-protocol-signature do?

While building a framework to translate data between Check Point's API and another tool I'm working on, I noticed the "match-by-protocol-signature" property of TCP and UDP services is always false. This is the case even for objects with the protocol inspection set to a non-null value:

 

[Expert@LabSC1]# mgmt_cli -r true show services-tcp limit 500 details-level full --format json | jq -c '.objects[]|{name:.name,matchProtocol:."match-by-protocol-signature"}' | grep -v false | wc -l
0
[Expert@LabSC1]# mgmt_cli -r true show services-tcp limit 500 details-level full --format json | jq -c '.objects[]|{name:.name,matchProtocol:."match-by-protocol-signature",protocol:.protocol}'
...
{"name":"Freak2k","matchProtocol":false,"protocol":null}
{"name":"ftp","matchProtocol":false,"protocol":"FTP"}
{"name":"ftp-bidir","matchProtocol":false,"protocol":"FTP-BIDIR"}
{"name":"ftp-pasv","matchProtocol":false,"protocol":"FTP-PASV"}
{"name":"ftp-port","matchProtocol":false,"protocol":"FTP-PORT"}
{"name":"FW1","matchProtocol":false,"protocol":null}
...

 

This property does not appear to be related to protocol inspection, so what does it actually do?

I'm on R80.40 with API v1.6.1, but the property dates back to API v1.1.

0 Kudos
2 Replies
Chris_Atkinson
Employee
Employee

Protocol Signature - A unique signature created by Check Point for each protocol and stored on the gateway. The signature identifies the protocol as genuine. Select this option to limit the port to the specified protocol.

Refer also: https://community.checkpoint.com/t5/General-Topics/Protocol-Signatures/td-p/54945

0 Kudos
Bob_Zimmerman
Advisor

So it's entirely separate from the Protocol option for the service?

What protocol signatures can be matched? Where do we tell the firewall which protocol signature we want to match for a given service object?

0 Kudos