This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-01-10 11:09 AM

What does match-by-protocol-signature do?

While building a framework to translate data between Check Point's API and another tool I'm working on, I noticed the "match-by-protocol-signature" property of TCP and UDP services is always false. This is the case even for objects with the protocol inspection set to a non-null value:

 

[Expert@LabSC1]# mgmt_cli -r true show services-tcp limit 500 details-level full --format json | jq -c '.objects[]|{name:.name,matchProtocol:."match-by-protocol-signature"}' | grep -v false | wc -l
0
[Expert@LabSC1]# mgmt_cli -r true show services-tcp limit 500 details-level full --format json | jq -c '.objects[]|{name:.name,matchProtocol:."match-by-protocol-signature",protocol:.protocol}'
...
{"name":"Freak2k","matchProtocol":false,"protocol":null}
{"name":"ftp","matchProtocol":false,"protocol":"FTP"}
{"name":"ftp-bidir","matchProtocol":false,"protocol":"FTP-BIDIR"}
{"name":"ftp-pasv","matchProtocol":false,"protocol":"FTP-PASV"}
{"name":"ftp-port","matchProtocol":false,"protocol":"FTP-PORT"}
{"name":"FW1","matchProtocol":false,"protocol":null}
...

 

This property does not appear to be related to protocol inspection, so what does it actually do?

I'm on R80.40 with API v1.6.1, but the property dates back to API v1.1.

0 Kudos
5 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2021-01-10 07:41 PM

Protocol Signature - A unique signature created by Check Point for each protocol and stored on the gateway. The signature identifies the protocol as genuine. Select this option to limit the port to the specified protocol.

Refer also: https://community.checkpoint.com/t5/General-Topics/Protocol-Signatures/td-p/54945

CCSM R77/R80/ELITE
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-01-11 06:42 AM
In response to Chris_Atkinson

So it's entirely separate from the Protocol option for the service?

What protocol signatures can be matched? Where do we tell the firewall which protocol signature we want to match for a given service object?

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2022-02-05 06:56 AM
In response to Bob_Zimmerman

Please see my lengthy post here which should answer all your questions about Protocol Signatures:

https://community.checkpoint.com/t5/Management/Enable-Protocol-Signature-by-default/m-p/139285/highl...

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-02-05 07:19 AM
In response to Timothy_Hall

That does answer most of them. One big one remains, though:

How do we tell which service objects have protocol signatures which can be matched? And what happens if the "Match by protocol signature option" is enabled on a service which doesn't have a protocol signature? It looks like all services—even ones created by the user—have this flag in their object definitions, but it sounds like the protocol signatures only actually exist for included objects.

Just did a little experimenting to find out:

[Expert@DallasSA]# mgmt_cli -f json -s session.txt add service-tcp name "TCP_23" port 23 match-by-protocol-signature true
{
  "code" : "generic_err_invalid_parameter",
  "message" : "Invalid parameter for [match-by-protocol-signature]. Matching by protocol signature is not possible without assigning a protocol to the service."
}
[Expert@DallasSA]# mgmt_cli -f json -s session.txt add service-tcp name "TCP_2323" port 2323 protocol telnet match-by-protocol-signature true
{
  "uid" : "db65f535-b0d0-4d97-9906-16a630951559",
  "name" : "TCP_2323",
  "type" : "service-tcp",
  "domain" : {...},
  "port" : "2323",
  "protocol" : "TELNET",
  "match-by-protocol-signature" : true,
...

So this says to me the "Match by protocol signature" field is like extra enforcement of the "protocol" field. Interesting.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2022-02-05 08:23 AM
In response to Bob_Zimmerman

Doesn't seem to be any way in the SmartConsole to find/filter services that have Protocol/Protocol Signature set without manually opening each of them and looking.  Probably going to have to be done through the API to get a list of them.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events