what is the prot range for service any

[tohhwee72]

In Checkpoint NGX, what is the port range for service any? Is it only include well know ports from 0-1024 or even high? Where can l find the port range for service any in Checkpoint Smart Centre?

Thanks a lot

[melipla]

Any, AFAIK, means any port / any protocol.

There are some strange exceptions, like X11 for which there's an option to include in any or not. There's other problems such as vpn routing which even though it may match the any rule, it may still drop due to the packet not being encrypted.

HTH

[rokudan]

All ports... 1-65535... And any protocol, tcp/udp plus about 50 or so other protocols...

[Tommo]

It's not that simple as I understand - The service "Any" simply means services against which the "Match for Any" field is ticked within the advanced properties for a service.

If you go into your protocol list, expand a type (e.g TCP or UDP services for example) double click on a protocol (e.g. HTTP), click on Advanced, if "Match for Any" is ticked, will be allowed through by your service of "Any".

Hope this helps.

[dsb.nepo]

If you use a splat or *nix version you can get a list with the following command.

Code:

printf "localhost\n-t services -pf\n-q\n" | queryDB_util | awk '/Object Name/ {host=$3} /include_in_any/ {print host, ":"$2}' | tee Any_Service.log

This line is from the great book
Essential Checkpoint Firewall 1
ISBN 0-321-18061-5
Author: Dameon D. Welch-Abernathy

[rokudan]

Quote:

Originally Posted by Tommo

It's not that simple as I understand - The service "Any" simply means services against which the "Match for Any" field is ticked within the advanced properties for a service.

If you go into your protocol list, expand a type (e.g TCP or UDP services for example) double click on a protocol (e.g. HTTP), click on Advanced, if "Match for Any" is ticked, will be allowed through by your service of "Any".

Hope this helps.

That only applies if you have multiple objects on the same port configured. If you setup say a tcp object call test1 and give it port 123 and then create test2 with the same port 123, the one that has Match for any, is where it will get its properties from when used in an any rule. If there is not specific service setup for the port, then match for any does not apply. If there is already a single object with that setup, it just pulls that objects properties.

So in short, any does mean all ports 1-65535, just when/if something is ticked as Match for any, it will use that object for properties like timeout, sync, type.

[gavvys]

Hi,
Good Question
I agree with Tommo.
Whoever is not agree please click on help option after going to advanced option in service.

You will find the answer over there.

Regards
Ranjit

[chillyjim]

The "Match on any" is for defined services that are in conflict.

e.g. ssh and ssh_v2; an "any" rule matches "ssh"

If "any" was not "all ports and protocols" the "any any any drop" rule wouldn't work.

I've posted this before, but I can't find it right now.
The following is from Check Point Development

Quote:

“Any” service means every port (known, defined, unknown, or undefined) when used in the rulebase. Otherwise, “any, any, any, any, drop” rule would be completely worthless.

However, there are various reasons why a packet may get dropped despite having a single any,any,any,any,accept rule in the rulebase. These reasons vary from version to version and hotfix to hotfix primarily because these versions can include new deep-level application inspect (service dropped by SmartDefense protocol enforcement such as SIP drop when encapsulated in http).
Some common reasons for drop packets despite “any-accept” rule:
- Protocol enforcement (i.e. port 80 really is http traffic)
- IP Options flags exist on the IP header and is dropped before rulebase (i.e. PIM multicast traffic in version 4.1)
- (Rare) Limitation in Firewall, Acceleration, QOS, or Clustering implementation that see the traffic as invalid (usually quickly fixed in a later HFA or SHF)
- TCP out of state (asymmetric routing problems or long delays that allow tcp start timeout to expire before syn-ack)
- UDP or undefined service out of state caused by bi-directional data traffic
- Complex code required for NAT and other functions but proper inspect is not being called by “any” rule (mentioned by Adam)
o this can happen when more than one service of a specific port # is defined with “match for any” checked
o or, if “match for any” checkbox was removed from an important service definition and other duplicate service objects exist with less complex inspect code calls
o or, if a new service was defined and selected as “match for any” which negates the inspect code of other pre-defined services. An example of this would be manually creating a tcp service for port 135 and configuring it for “match for any”. This would potentially prevent the portmap service from properly matching the dce-rpc code uuid’s defined in the dce-rpc pre-defined services.

In short, because the list of reasons is dynamic from one version to the next and can be very specific to unpredictable customer mis-configurations, it is not practical to try to compile a complete list and keep it up-to-date.

I hope that the above information helps you respond effectively short of providing a simple list.

[chillyjim]

Quote:

Originally Posted by melipla

There are some strange exceptions, like X11 for which there's an option to include in any or not.

X11 runs "backwards" to normal services (your desktop is the server not the the client), which is why it dropped on an any rule.

[rokudan]

I agree with chillyjim... ;)