Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Service Object - Match for Any

I'm working on Firewall standards for our security team and one of the items includes creating new services.

I know there are issues creating new objects and leaving the default "Match for any" selected, but I'm not able to find specific details for this in any of Check Point documentation.

What is Check Point's recommendation regarding this?

0 Kudos
9 Replies
Highlighted

Re: Service Object - Match for Any

Hey Dave,

Please find below Check Point's documentation with regards to the feature in question:

 

Match for Any: Indicates whether this service is used when 'Any' is set as the rule's service and there are several service objects with the same source port and protocol.
When there is a rule whose Service cell contains Any, and a connections protocol and source port match more than one service object, then the service object with the selected 'Match for Any' option will be used and its properties will be taken for handling this connection.

When installing a policy that contains services that have source ports (specified in the Advanced window) that require the Match for 'Any' option to be selected, a warning appears. The policy will be installed with a warning (for each such service), since Match for 'Any' is not supported for services that contain source port specification.

 

I hope this helps.

0 Kudos
Highlighted

Re: Service Object - Match for Any

So if I understand this correctly, what that says, is if you create a Match for Any service, it should not be used in a rule as a service......Right?
0 Kudos
Highlighted

Re: Service Object - Match for Any

To clarify, the "Match for Any" setting really comes into play when there are several service objects that use the same source port and protocol. If this scenario applies, on the interesting firewall rule you could do either of the following under the Services column:

- Leave it to "any" and enable the "Match for Any" checkbox of the service object you want to match the traffic so to speak.

- Specify the exact service objects you want to match.

Again, I believe this setting is more relevant when multiple service objects use the same source port and protocol so it just gives you an extra layer of granularity.

Let us know if you have any more questions.

0 Kudos
Highlighted

Re: Service Object - Match for Any

To clarify things:

The "match for any" checkbox is only relevant if the service column of the rule is set any. Then the specific settings for the service are used for setting timeouts, cluster-sync, protocol inspection, etc. for traffic matching this rule and the protocol/port of this service.

If a specific service is used in a rule, then the specific settings of this service apply and it doesn't matter if "match for any" is set!

0 Kudos
Highlighted

Re: Service Object - Match for Any

Think of the "any"-Service as a collection of all service definitions. A service object has far more attributes than just destination port.  Its possible to have 2 service objects with the same destination port but otherwise different settings like virtual session timeout or protocol handler.

Lets assume you configured a service called "service a" with tcp destination port 8080 and a session timeout of 30 seconds and "service b" with tcp destination port 8080 and a session timeout of 60 seconds. Both have have the "match for any" attribute set. Then you create a firewall rule like this:

Source: Internal -> Service: Any -> Destination: Extern.

Now you access port 8080 on an external server from your internal network. 

What would be the virtual session timeout for this connection? 30 seconds or 60 seconds? Should the log show "service a" or "service b"?

Best practice in my opinion would be to avoid creating overlapping service definitions. If you have to define 2 overlapping service objects, unset "match for any" for one of them.

0 Kudos
Highlighted
Silver

Re: Service Object - Match for Any

The big problem that you have (as is mentioned but not too clearly in the information) is where you have multiple services that have an overlap of ports.

 

ie you define a service port range of 6000-7000 and have a service defined for say 6500, 6509, If they all have the Match for Any checked then when you install the policy then completes with warnings about multiple services matching a port.

If you don't clear that up then what happens is people get used to seeing the warning and so don't look.    Have seen people miss warnings about Certificate Expiry and the like because of this.

 

0 Kudos
Highlighted

Re: Service Object - Match for Any

This is also been my experience. We have many service ranges, and I see that error during a policy install. It also poses an issue searching within the logs for a specific service that may fall in that range.
Thank you

0 Kudos
Highlighted
Admin
Admin

Re: Service Object - Match for Any

Generally "Match for Any" is only an issue when you have two or more services defined using the same TCP/UDP port.
If that's the case, the definitions for the service marked "Match for Any" for a given TCP/UDP port will apply when a particular connection matches a rule with service Any.
This can include service-specific timeouts as well as the application of the protocol handler that's associated.

At the moment, when you create a new service, we leave this checked by default.
We are considering changing this behavior in R80.40.
Highlighted

Re: Service Object - Match for Any

Thanks, I appreciate your help.
0 Kudos