This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kamilazat
Collaborator
6 hours ago

Best practices for allowing overlapping ports/protocols on different rules

Hi,

I've read that it's not best practice to have multiple service objects defined for the same port/protocol here. And it got me thinking.

What is the best practice in case we need to create rules with overlapping port ranges with the same protocol?

For example, let's assume that

  •     I need to allow access between Network A - Network B on ports 10000 - 20000 on protocol X.
  •     But at the same time, I need to block traffic between Network C - Network D on ports 15000 - 25000 on protocol X.
  •     Additionally, a new requirement comes and I need to create a new rule that allows access between Network E - Network F on ports 12000 - 27000, again on protocol X.

The first thing that comes to my mind is to create different service objects for these different ranges and use them where needed. But if I understand it correctly, it's not the best practice and probably will give me "Services port conflict" warning when installing the policy.

How do we do this in this kinds of situations?

Cheers!

0 Kudos
4 Replies
emmap
Employee
Employee
5 hours ago

Create the service ranges as required for your rules, but under the Advanced options for those objects, make sure 'Match for Any' is not selected. That way you'll have no warnings on policy install.

0 Kudos
kamilazat
Collaborator
2 hours ago
In response to emmap

Thank you!

What if I also have rules that have 'Any' in service column? How does unchecking 'Match for Any' affect those rules?

0 Kudos
emmap
Employee
Employee
2 hours ago
In response to kamilazat

It doesn't affect them at all, it just means that the service ranges you create are not considered when matching services for traffic that hits the rules with 'Any' service in them. 

0 Kudos
kamilazat
Collaborator
51m ago
In response to emmap

So if I, say, unclick the 'Match for Any' in FTP port 21, and allow TCP traffic over port 21 on a rule, the firewall will allow the traffic but won't treat is as FTP protocol anymore. Do I understand it correctly?

Then what would happen if I turned it off on all the services in a 5000 rule Policy Package? I mean, why is it needed then?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events