Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Howard_Gyton
Advisor
Jump to solution

R80.30 - Services port conflict recurring

When we push policy, it succeeds but we get a warning stating that there are multiple services which both have 'Match for any selected'.

When I first did this there were 10 pairs, so I worked through those.  At the next policy push it found another two.  And the next.  And the one after that.

I don't know why, but it is drip feeding me information and doesn't list them all.  At every change I make another new pair appear for some reason.

Is this expected?  If so, it's not very user friendly as I would prefer to fix them all in one go.

Howard

0 Kudos
1 Solution

Accepted Solutions
Alon_Alapi
Employee Alumnus
Employee Alumnus

Hi,

For R80.40 we plan the following:

1. Change the match-for-any default to "false" for new service creation

2. Add a PUV (pre upgrade verify) warning on duplicate match-for-any services when upgrading from R77.30

To detect and remove all these conflicts, use the following procedure:

  1. Create a Dummy Security Gateway object, no need to establish SIC.
  2. Install policy only on the dummy Gateway.
  3. The installation should fail with the following message: 
    Installation failed. Reason: No SIC name found in the peer object definition, please test its SIC status.
    Disregard it.
  4. Go over all the 'Services port conflict' warnings, 
    These warnings should have the following text: "Services port conflict. port XX (protocol) serves both and . Uncheck 'Match for Any' checkbox in the 'Advanced' dialogue for one of them."
    For each of the warnings:
    1. Select which of the services you wish to use on rules with 'Any' in the source.
    2. Edit the other services.
    3. In the Advanced topic, uncheck Match for 'Any'.
  5. Delete the Dummy Security Gateway object.

In the future I plan to share a script that help identifying the conflicting match for any services.

 

Hope it helps,

Alon

Security Management Products Group Manager

View solution in original post

0 Kudos
4 Replies
Alon_Alapi
Employee Alumnus
Employee Alumnus

Hi,

For R80.40 we plan the following:

1. Change the match-for-any default to "false" for new service creation

2. Add a PUV (pre upgrade verify) warning on duplicate match-for-any services when upgrading from R77.30

To detect and remove all these conflicts, use the following procedure:

  1. Create a Dummy Security Gateway object, no need to establish SIC.
  2. Install policy only on the dummy Gateway.
  3. The installation should fail with the following message: 
    Installation failed. Reason: No SIC name found in the peer object definition, please test its SIC status.
    Disregard it.
  4. Go over all the 'Services port conflict' warnings, 
    These warnings should have the following text: "Services port conflict. port XX (protocol) serves both and . Uncheck 'Match for Any' checkbox in the 'Advanced' dialogue for one of them."
    For each of the warnings:
    1. Select which of the services you wish to use on rules with 'Any' in the source.
    2. Edit the other services.
    3. In the Advanced topic, uncheck Match for 'Any'.
  5. Delete the Dummy Security Gateway object.

In the future I plan to share a script that help identifying the conflicting match for any services.

 

Hope it helps,

Alon

Security Management Products Group Manager

0 Kudos
StefanS
Explorer

Hi,

R80.30 Take 111

- Services port conflict. port 7648 (udp) serves both <CU-SeeMe> and <V6a2650d9-c76f-458a-85df-f9397292dc49>. Uncheck 'Match for Any' checkbox in the 'Advanced' dialogue for one of them.

and how to find this object in object explorer?

<V6a2650d9-c76f-458a-85df-f9397292dc49>

Stefan

0 Kudos
mcdonamw_ews
Contributor

@StefanS, I know this is a necropost but I hope you're still around.  Did you ever find a solution to your problem with the service port conflict with a guid-like service that is not visible in explorer, e.g. <V6a2650d9-c76f-458a-85df-f9397292dc49>?

 

I'm having this same exact issue and cannot find anything anywhere.

0 Kudos
Howard_Gyton
Advisor

My first thought was to poke around in GUIDBEdit, looking for a GUID string for a given service.

But when looking through the services table, I don't see anything remotely like that.

If however that service's name is actually "<V6a2650d9-c76f-458a-85df-f9397292dc49>", then in theory that should show in the services table, in the "Object Name" column.

I also looked for an attribute that might be used to hide that service from the explorer in the Console, but I couldn't find anything like that.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events