Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chauhanrht8
Explorer
Jump to solution

Firewall rule for any tcp and udp port

How can  we create a service for Any tcp and UDP ports.

Port should be-  Any 

And protocol should be - TCP and UDP ?? 

 

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Hi @Chauhanrht8 

Creat two new services with a port range from 1 to 65535 for udp service and tcp service.

Set no protocol in protocol field and  don't use ‚match for any‘.

Now add this two new services to your rule.

TCP_ANY:

Port: 1-65535

Match for any: no

Protocol: none

UDP_ANY:

Port: 1-65535

Match for any: no

Protocol: none

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

10 Replies
Maik
Advisor

Not sure why you would want to do this, but create a group and insert a tcp and udp object.

Each object respectively contains the port range of 1-65535 or just "any" and you are good to go.

0 Kudos
Danny
Champion Champion
Champion

* Any also matches for applications and not just TCP/UDP ports as requested.

Therefore just create a new tcp_any and udp_any object  >0, uncheck Match for Any and use these in your rule.

Example:

image.png

How To Describe "Any Application"

Matching unknown traffic

 

(1)
Maik
Advisor

Hey,

I was not writing about "any" in the typical way of "any" in the service column. With any I meant to write "any" in the TCP or UDP objects itself. "Any" or 1-65535 should end up with the same functionality, doesn't it?

0 Kudos
-TJ-
Participant

You may want to be sure to uncheck the 'match for any' in the service properties.   I expect you will receive the warning that service objects may inherit that change.

See sk150553 for an example.

The idea sort of negates having a firewall though.   I assume you likely have a good reason.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @Chauhanrht8 

Creat two new services with a port range from 1 to 65535 for udp service and tcp service.

Set no protocol in protocol field and  don't use ‚match for any‘.

Now add this two new services to your rule.

TCP_ANY:

Port: 1-65535

Match for any: no

Protocol: none

UDP_ANY:

Port: 1-65535

Match for any: no

Protocol: none

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Chauhanrht8
Explorer
Hello @HeikoAnken,
Thanks for the information.
0 Kudos
sajj
Explorer

Hi,

What is the use case to have Protocol = NONE ?

Why 2 separate services are proposed (TCP_ANY   and UDP_ANY) though the meaning is same as we are not using any protocol ? Is it only for more readability ?

What will be behavior of checkpoint firewalls if do not choose Protocol = None ? Because Source IP will choose either TCP or UDP for communication.

 

Regards,

Sajjad

 

0 Kudos
Maarten_Sjouw
Champion
Champion
Protocol None is for the applications like FTP, H323 etc.
Why you want only TCP and UDP is that you don't want to allow all other protocols like GRE and IPSEC, which are neither TCP nor UDP.
Regards, Maarten
(1)
sajj
Explorer

Thanks.

So it means any protocol (like TCP, UDP , GRE, IPSec, etc.) under IP-Protocol will be considered, it is like everything.

0 Kudos
Maarten_Sjouw
Champion
Champion
Any will allow all, while the 2 TCP and UDP (all ports) will not allow other protocols than TCP or UDP.
Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events