This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
renegad
Explorer
Explorer
‎2021-09-27 06:20 AM

how to block tcp traffic which has source port number from 1 to 1024

Hi, I would like to ask for best way to block all incomming traffic which has tcp source port in range from 1 to 1024 and destination port is any on external interface? Source IP is any, destination IP can be SG public IP. Thank you

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2021-09-28 08:36 AM

You’d have to create a service of type Other to o that, which allows you to enter in an INSPECT expression.
Some samples of INSPECT syntax are in point 7 here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
I believe the correct expression would be: tcp, sport<=1024

That said, last I checked, INSPECT services disable SecureXL templates at that rule and for all rules below.
However, that may not be the case in R80.20 and above.
Meaning: this has a potential performance impact.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-09-29 04:57 AM
In response to PhoneBoy

Pretty sure using the source port as a matching criteria will disable rule templating even in the latest releases, as SecureXL is not able to mask/ignore the source port for accept template calculations.  Services specifying custom INSPECT code are also very likely to have all their traffic handled in F2F/slowpath, although I haven't checked for this in the latest releases and it may be possible to reinject that traffic back into SecureXL after the initial rule matching in F2F is complete.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
0 Kudos
_Val_
Admin
Admin
‎2021-09-29 04:59 AM
In response to Timothy_Hall

Second that. 

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2021-09-29 06:46 AM
In response to PhoneBoy

You shouldn't need to use INSPECT. I just tried this:

[Expert@LabSC:0]# mgmt_cli -r true login > session.txt
[Expert@LabSC:0]# mgmt_cli -s session.txt --format json add service-tcp name lowSources source-port 1-1024 port 1-65535
{
  "uid" : "ab4ec7b3-cffe-4b5b-9fa1-77b6ac8fe65a",
  "name" : "lowSources",
  "type" : "service-tcp",
  "domain" : {...},
  "port" : "1-65535",
  "source-port" : "1-1024",
  "match-by-protocol-signature" : false,
  "override-default-settings" : false,
  "session-timeout" : 3600,
  "use-default-session-timeout" : true,
  "match-for-any" : false,
  "sync-connections-on-cluster" : true,
  "aggressive-aging" : {...},
  "keep-connections-open-after-policy-installation" : false,
  "groups" : [ ],
  "comments" : "",
  "color" : "black",
  "icon" : "Services/TCPService",
  "tags" : [ ],
  "meta-info" : {...},
  "read-only" : true
}

Then you add a rule for that service telling the firewall to drop traffic which matches it.

The SecureXL concerns are still present, but at least it's not an especially unusual service object.

PhoneBoy
Admin
Admin
‎2021-09-29 07:58 AM
In response to Bob_Zimmerman

Probably a better way to do it actually.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events