[thatgeekinit]

I am migrating slowly to checkpoint NGX R65 on Nokia from IOS access list based firewalling.
I am taking this opportunity to cut down on the number of rules which due to being a whitelist environment (blocking outgoing and incoming by default) we have thousands even though the number of applications and the number of clients are relatively small.

I have a list of servers and a variety of nonstandard ports that they use for the main application here and I am wondering if there is a way to define a service with non-contiguous ports without creating a whole bunch of them and then grouping them.

For instance can I create a single service object that has say port 1001, 6006, and 2003 without making one for each and then making a group?

My other question is that reply traffic for many rules is currently allowed based on src port but with no destination port specified. This does not seem to be an available option in Checkpoint since rules only list services not src and dest port. How do I allow any destination port, but restrict source port from a particular host?