Solved: Firewall rule for any tcp and udp port

Chauhanrht8 · ‎2019-08-22

How can we create a service for Any tcp and UDP ports.

Port should be- Any

And protocol should be - TCP and UDP ??

HeikoAnkenbrand · ‎2019-08-23

Hi @Chauhanrht8

Creat two new services with a port range from 1 to 65535 for udp service and tcp service.

Set no protocol in protocol field and don't use ‚match for any‘.

Now add this two new services to your rule.

TCP_ANY:

Port: 1-65535

Match for any: no

Protocol: none

UDP_ANY:

Port: 1-65535

Match for any: no

Protocol: none

View solution in original post

Maik · ‎2019-08-23

Not sure why you would want to do this, but create a group and insert a tcp and udp object.

Each object respectively contains the port range of 1-65535 or just "any" and you are good to go.

Danny · ‎2019-08-23

* Any also matches for applications and not just TCP/UDP ports as requested.

Therefore just create a new tcp_any and udp_any object >0, uncheck Match for Any and use these in your rule.

Example:

How To Describe "Any Application"

Matching unknown traffic

Maik · ‎2019-08-23

Hey,

I was not writing about "any" in the typical way of "any" in the service column. With any I meant to write "any" in the TCP or UDP objects itself. "Any" or 1-65535 should end up with the same functionality, doesn't it?

-TJ- · ‎2019-08-23

You may want to be sure to uncheck the 'match for any' in the service properties. I expect you will receive the warning that service objects may inherit that change.

See sk150553 for an example.

The idea sort of negates having a firewall though. I assume you likely have a good reason.

HeikoAnkenbrand · ‎2019-08-23

Hi @Chauhanrht8

Creat two new services with a port range from 1 to 65535 for udp service and tcp service.

Set no protocol in protocol field and don't use ‚match for any‘.

Now add this two new services to your rule.

TCP_ANY:

Port: 1-65535

Match for any: no

Protocol: none

UDP_ANY:

Port: 1-65535

Match for any: no

Protocol: none

View solution in original post

Chauhanrht8 · ‎2019-08-24

Hello @HeikoAnken,
Thanks for the information.

sajj · ‎2020-01-27

Hi,

What is the use case to have Protocol = NONE ?

Why 2 separate services are proposed (TCP_ANY and UDP_ANY) though the meaning is same as we are not using any protocol ? Is it only for more readability ?

What will be behavior of checkpoint firewalls if do not choose Protocol = None ? Because Source IP will choose either TCP or UDP for communication.

Regards,

Sajjad

Maarten_Sjouw · ‎2020-01-27

Protocol None is for the applications like FTP, H323 etc.
Why you want only TCP and UDP is that you don't want to allow all other protocols like GRE and IPSEC, which are neither TCP nor UDP.

Regards, Maarten

sajj · ‎2020-01-28

Thanks.

So it means any protocol (like TCP, UDP , GRE, IPSec, etc.) under IP-Protocol will be considered, it is like everything.

Maarten_Sjouw · ‎2020-01-28

Any will allow all, while the 2 TCP and UDP (all ports) will not allow other protocols than TCP or UDP.

Regards, Maarten