Match for Any

Advanced search

[Sauce]

Bonjour,

I am troubleshooting a cluster of firewalls FW-1.
I have 175 Service port conflict warnings, and i need to figure it out. I have several questions :

Is it better to uncheck "Match for Any" from port ranges rather than single ports.
for example a conflict between <TCP 111 - 115> and <TCP 112>, I'd better uncheck "Match for Any" from <TCP 111 - 115>. And if so how are the other ports in the range treated 111, 113, 114, 115 when I have an Any rule. (are they treated like normal TCP/UDP connexions, do they pass in the first place )

I know that we better keep the predefined services as "Match for Any", like FTP, SSH, .....
Because there's some parameters related to the INSPECT engine for these protocols, but what happens if I have another service that uses the same port as a predefined service (FTP for example) in a rule where we have Any service, are they treated like FTP and dropped because they don't confirm to FTP parameters.

And a final question

How do i change the warning sentivity level, for example to avoid have warning like these and have only warning for more seriuos problems.

[juve]

Hi,

I am troubleshooting a cluster of firewalls FW-1.
I have 175 Service port conflict warnings, and i need to figure it out. I have several questions :

Is it better to uncheck "Match for Any" from port ranges rather than single ports.
for example a conflict between <TCP 111 - 115> and <TCP 112>, I'd better uncheck "Match for Any" from <TCP 111 - 115>. And if so how are the other ports in the range treated 111, 113, 114, 115 when I have an Any rule. (are they treated like normal TCP/UDP connexions, do they pass in the first place  )

The match for any should best be set for the more specific services. If you uncheck match for any on your tcp 111-115, it will not be hit on an any rule, only the services in the port range that are defined with match for any. all others will be treated as don't match for any because of the service definition.

I know that we better keep the predefined services as "Match for Any", like FTP, SSH, .....
Because there's some parameters related to the INSPECT engine for these protocols, but what happens if I have another service that uses the same port as a predefined service (FTP for example) in a rule where we have Any service, are they treated like FTP and dropped because they don't confirm to FTP parameters.

They will be dropped. If you have a second service on port 21, create a new service on port 21 without match for any and put it before the any rule, so the correct service is chosen. On the any rule, the ftp/... inspection will still be performed.

And a final question

How do i change the warning sentivity level, for example to avoid have warning like these and have only warning for more seriuos problems.

As far as I know, this isn't possible

• Articles
• Knowledge base