What outbound ports should be allowed for http and https traffic

[terri8369]

Our internet browsing rule allows our employees to go out to the internet on http and https, but does not restrict any ports. So, they can type https://www.mysite.com:9876 and go out on 9876. We would like to tighten that down. Is there a best practice for what ports to allow employees to go out on?

We have r80.20

Any help is appreciated. We were looking at this article which is what made us want to tighten our rules down.

https://community.securityeducation....ress-Detection

[Bob_Zimmerman]

The closest thing to a "best practice" is a tautology: allow your users to reach what they need.

Thanks to "cloud" nonsense and IPv4 exhaustion, a lot of public services are being run on effectively-random IPs and high ports. If you allow only a handful of ports out, you will find all of the other needed ports pretty quickly, but you will do so by causing outages.

I, personally, would be more likely to search in SmartLog for the UUID of the rule which is currently allowing traffic, export a million records, and process the log data to see which ports are used and how frequently. If it's an obvious port or a weird port used extremely commonly, I would just add rules to allow it above the existing, broad rule. For weird ports hit less frequently, I would then look at the sources and destinations, and see if I can get in touch with either. After repeating this process for a while, you should have a pretty good list of what is needed, and you can disable the broad rule. Takes time and a fair amount of effort, but this path wouldn't cause outages.