cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

R80.30 - Services port conflict recurring

Jump to solution

When we push policy, it succeeds but we get a warning stating that there are multiple services which both have 'Match for any selected'.

When I first did this there were 10 pairs, so I worked through those.  At the next policy push it found another two.  And the next.  And the one after that.

I don't know why, but it is drip feeding me information and doesn't list them all.  At every change I make another new pair appear for some reason.

Is this expected?  If so, it's not very user friendly as I would prefer to fix them all in one go.

Howard

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Employee
Employee

Re: R80.30 - Services port conflict recurring

Jump to solution

Hi,

For R80.40 we plan the following:

1. Change the match-for-any default to "false" for new service creation

2. Add a PUV (pre upgrade verify) warning on duplicate match-for-any services when upgrading from R77.30

To detect and remove all these conflicts, use the following procedure:

  1. Create a Dummy Security Gateway object, no need to establish SIC.
  2. Install policy only on the dummy Gateway.
  3. The installation should fail with the following message: 
    Installation failed. Reason: No SIC name found in the peer object definition, please test its SIC status.
    Disregard it.
  4. Go over all the 'Services port conflict' warnings, 
    These warnings should have the following text: "Services port conflict. port XX (protocol) serves both and . Uncheck 'Match for Any' checkbox in the 'Advanced' dialogue for one of them."
    For each of the warnings:
    1. Select which of the services you wish to use on rules with 'Any' in the source.
    2. Edit the other services.
    3. In the Advanced topic, uncheck Match for 'Any'.
  5. Delete the Dummy Security Gateway object.

In the future I plan to share a script that help identifying the conflicting match for any services.

 

Hope it helps,

Alon

Security Management Products Group Manager

0 Kudos
1 Reply
Highlighted
Employee
Employee

Re: R80.30 - Services port conflict recurring

Jump to solution

Hi,

For R80.40 we plan the following:

1. Change the match-for-any default to "false" for new service creation

2. Add a PUV (pre upgrade verify) warning on duplicate match-for-any services when upgrading from R77.30

To detect and remove all these conflicts, use the following procedure:

  1. Create a Dummy Security Gateway object, no need to establish SIC.
  2. Install policy only on the dummy Gateway.
  3. The installation should fail with the following message: 
    Installation failed. Reason: No SIC name found in the peer object definition, please test its SIC status.
    Disregard it.
  4. Go over all the 'Services port conflict' warnings, 
    These warnings should have the following text: "Services port conflict. port XX (protocol) serves both and . Uncheck 'Match for Any' checkbox in the 'Advanced' dialogue for one of them."
    For each of the warnings:
    1. Select which of the services you wish to use on rules with 'Any' in the source.
    2. Edit the other services.
    3. In the Advanced topic, uncheck Match for 'Any'.
  5. Delete the Dummy Security Gateway object.

In the future I plan to share a script that help identifying the conflicting match for any services.

 

Hope it helps,

Alon

Security Management Products Group Manager

0 Kudos