Re: Abnormality in pattern matching of APP CONTRL ...

Firewall_Head

Hi Checkmates,

I have a security policy created for communication between a pair of device, I'm using a custom created TCP high port (TCP 30K+) in service and no applications are mentioned inside the rule. But when I'm checking the logs it is matched against an APP named net.TCP.

Can someone shed light on how this is happening, how is traffic matched against an APP which I never specified in the rule.

Thanks in advance!

======

WR,

FH

G_W_Albrecht

This is TCP 8080, not TCP high port (TCP 30K+) in service ! And 8080 is used by:

Protocol	Port number	Service Name and Comment	Usage
Endpoint Security
TCP	8080	not predefined	Loopback port (used by EPM process). Endpoint Security Management Server and Directory Scanner -> Apache Tomcat HTTP on Endpoint Security Management Server.
Threat Emulation
TCP	8080	not predefined	HTTP - FakeServer listens for packets coming from the VM during WebEmulation. SSL Proxy.
Mobile Access
TCP	8080	HTTP_and_HTTPS_proxy	Front-end daemon of Mobile Access (used by multi-processes - mpdaemon)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Firewall_Head

@G_W_Albrecht Thanks for your reply!

Actually I'm trying to make a different point, I'm not using the 8080 service inside the policy but somehow it is matching against an APP that uses 8080.

The service that I'm using in my policy is TCP 32000.

Hope you got my point!
========

WR,

FH

the_rock

Can you try something like below?

Andy

G_W_Albrecht

I see no screenshots e.g. from rule base and logs that show your point !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

the_rock

Technically, what Guenther sent is right, its from below:

https://support.checkpoint.com/results/sk/sk52421

High ports would start from 49152 and this port is way below that.

Andy

Firewall_Head

@the_rock ,

When I create a policy to allow TCP 320000, why would the inspection module match it against an APP that uses 8080. Please help me on this.

====
WR,

FH

the_rock

See the screenshot I attached in my last response, not sure if thats how you have it configured currently.

Andy

Firewall_Head

@the_rock , Yes you are right !

That is how the port is configured.

Can you tell me what is wrong in this?

========

WR,

FH

the_rock

If you can send us the screenshot of the rule/logs, would help, for sure.

Andy

Firewall_Head

@the_rock I'm sorry that I can't give you my prod rule/logs.

I have replicated the same for your reference, PFA .

======

WR,

FH

the_rock

Thats fair, no problem! Can we see what that tcp_30k looks like?

Andy

Firewall_Head

Can we do a remote ? @the_rock

======
WR,

FH

the_rock

I think everyone saw my messages about remote, haha. Thats okay, Im always happy to do my best to help. Not sure what time zone you are in, but Im in Canada EST, so its 9 am here, so I can do during my lunch, so say at 12 pm est, in 3 hours.

If that works, let me know and I can send you zoom link few mins before then.

Andy

G_W_Albrecht

How is the service itself defined ? You only show us a service group, not a service definition like:

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Firewall_Head

@G_W_Albrecht

PFA.

the_rock

That looks right to me. Anyway, if you are still good for remote, just let me know, so I can arrange.

Andy

Firewall_Head

Let's do it , can you please let me know the exact timing so that I can be ready for it.

========

WR,

FH

the_rock

Will send you zoom in direct message 5 mins before, so at 11.55 am EST (or 4.55 pm GMT), so 2 hours from now.

Andy

Firewall_Head

OK 👍

the_rock

Awesome! Let me grab quick "lunch" now, so I dont have to eat while talking to you, haha 🙂

Talk soon mate.

Best,

Andy

the_rock

Just sent you direct message with the link.

Andy

the_rock

Hey everyone,

I did remote session with the guys and below are my suggestions. @Firewall_Head , if you have anything SPECIFIC in mind for testing, just let me know and I can easily try it in the lab.

Andy

RS notes:

-remote session
-verified the port settings

-custom port 32500-32503

app name net.tcp_protocol

since there is single layer in policy with fw and appc+urlf enabled, advised its best to disable urlf+appc blade and create another ordered layer
I believe net tcp app uses port 32501

default net.tcp uses port 8080, so advised to try and block the protocol via the rule

PhoneBoy

In general, logs show the explicit port that was accessed.
That port is translated to a "service" (either /etc/services or a defined TCP/UDP service object in SmartConsole).
Not sure if/how this works when a range is used for a TCP/UDP object.
The service definition shown in the logs is used in rulebase matching in one of two cases:

It's explicitly listed in the rule.
The rule uses service Any and the service in question is marked as "Match for Any"

In any case, the rulebase is matching per the service(s) you've defined.
However, the logs will show whatever "service" was resolved per above.

This is expected behavior.

the_rock

That was also my impression based on what I saw with the guys on the remote session, because the log showed the mentioned application with port 32501.

I still asked them to consider things I mentioned...

Andy

Firewall_Head

@the_rock , Thank you so much for spending your valuable time !

Will try out the steps you mentioned and update you.

==

WR

FH

the_rock

Always happy to do my best to help mate. I dont need 1 hour for lunch like I did back in my 20s...now in my mid 40s, 20 mins is enough, haha.

Anyway, as I mentioned to you guys yesterday on zoom remote, if you have SPECIFIC scenario you want me to test in the lab, will do so. I also have R82 lab as well, but no host behind it, so makes way more sense to do it in R81.20 lab with windows 11 behind it, plus, it has ssl inspection on.

Andy

Are you a member of CheckMates?

Abnormality in pattern matching of APP CONTRL BLADE