Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Adam276
Participant

Dynamic Ports inspection setting meaning

I can't seem to locate a detailed description for all the Inspection Settings to help determine what they actually do.  Some are pretty descriptive like 'Block SIP Video'.  For Dynamic Ports though, It is not clear what that actually means and affects.

Has anyone found a detailed description of the Inspection Settings?

0 Kudos
6 Replies

The following was extracted from an old SmartDefense guide, TAC may have something more recent:

Dynamic Ports: Opens firewall ports only when needed. Opens only ports negotiated during VolP call setup, even those communicated within the protocol itself.

Dynamic ports will only be opened if the port is not used by another service (For example: if the Connect message sends port 80 for the H.245 it will not be opened--preventing wellknown ports from being used illegally).

0 Kudos
Adam276
Participant

Thanks for that info.  It sounds like it is related to VoIP only going by that info.  Does anyone know for sure?  There are a lot of them specifically for VoIP so I wouldn't be surprised if that is true even though the name of it doesn't have H.245/VoIP/SIP or anything like that.  It would seem like they would have prefixed the name with SIP/VoIP or something if it were specific to a single protocol/service.

0 Kudos
PhoneBoy
Admin
Admin

VoIP is merely one example.
FTP is another well known example, as is CIFS, NFS, and SMB.

0 Kudos
Adam276
Participant

Thanks for the responses.  It is appreciated.

Can you define Dynamic Ports in context to Inspection Settings?  The meaning from my experience with the term in networking/firewalling is services which accept connections but then create new data and control channel listen ports to different dynamic ranges like RPC, FTP, NFS, etc.  I am not aware of SMB/CIFS doing secondary connections on dynamic ports.  It always uses UDP 137, 138, or TCP 139 and 445 at least in my experience looking at the traffic over the years.  I am doubting myself about what Checkpoint defines as Dynamic Ports for Inspection Settings if CIFS/SMB is also considered Dynamic Ports.

Also what would be the behavior for DROP, ACCEPT, and INACTIVE for this specific Inspection Setting be?  I assume DROP would drop dynamic ports that are not within some definition of what Checkpoint thinks a Dynamic Port should look like for a specific service, ACCEPT would accept any dynamic port bad behavior that is flagged and maybe log it, and INACTIVE would not look for the bad behavior but still allow dynamic ports for services that use them(like FTP).

0 Kudos
PhoneBoy
Admin
Admin

There is the concept of a "control" and a "data" connection in these various services, which can happen on different ports.
By watching the control connection, we can see what the expected data connection is.
If we see something that doesn't correspond to what the control connection says to expect, this protection activates, assuming it's not marked Inactive.
Drop does what you'd expect: drop the relevant data connection, accept allows it and logs it.

0 Kudos
Adam276
Participant

Thanks for the clarification.  That helps to make sure the settings are applied appropriately.  I think an Inspection Settings document that goes into more detail for some of these settings would be beneficial if one ever materialized.

0 Kudos