Non-Continous port ranges in a service?

[thatgeekinit]

I am migrating slowly to checkpoint NGX R65 on Nokia from IOS access list based firewalling.
I am taking this opportunity to cut down on the number of rules which due to being a whitelist environment (blocking outgoing and incoming by default) we have thousands even though the number of applications and the number of clients are relatively small.

I have a list of servers and a variety of nonstandard ports that they use for the main application here and I am wondering if there is a way to define a service with non-contiguous ports without creating a whole bunch of them and then grouping them.

For instance can I create a single service object that has say port 1001, 6006, and 2003 without making one for each and then making a group?

My other question is that reply traffic for many rules is currently allowed based on src port but with no destination port specified. This does not seem to be an available option in Checkpoint since rules only list services not src and dest port. How do I allow any destination port, but restrict source port from a particular host?

[RobertGraham]

I'm pretty sure you can't specify non-contiguous ports in a single service obj. You'll have to create them individually. This seems to be confirmed by the GUI help page titled, "To Specify a Port Number." It lists the syntax possibilities and they all involve contiguous ports.

To specify the source port, you'd go to the advanced tab. The first field at the top is the source port field. I'd recommend you copy the objs and then customize them so that you can use the std services too if you want. There's no real draw-back to creating more service objs unless you go over the top and add hundreds more.