Solved: CSS & Service Port Command

cantorb · ‎05-02-2005

I am trying to fix a problem in our network that I believe to be caused by ephemeral ports originating on the CSS (tcp 6000-6063). My questions is as follows: what exactly does the "(config-service)port" command do? I trying to avoid using the above mentioned ports as destination port numbers (I thing?!). Would the following command accomplish this?

(config-service)port 6064 range 65535

If you have any questions or need further clarification just let me know. Thanks for the help guys.

bc

Gilles Dufour · ‎05-03-2005

ok, it makes more sense like this.

The source port is being changed by the CSS because of the your group coniguration.

You can use the command 'portmap base-port 6100' under your group definition to tell the CSS to only use ports above 6100.

This should solve your problem.

Regards,

Gilles.

View solution in original post

skumar1969 · ‎05-02-2005

(config-service)port 6064 range 65535

You are telling the CSS to talk to those thousands of server listening ports if it gets a content rule hit, which is unrealistic I think.

Gilles Dufour · ‎05-03-2005

if you did not configure a port for your service, it means the CSS will simply reuse the port that was used by the client.

So if you see traffic coming on port 6000-6063 it's because your client is using this port.

Are you sure this is the destination port ?

What port is your application using ?

Gilles.

cantorb · ‎05-03-2005

Gilles,

I'm attaching a diagram and config file to help explain what is happening.

In step 5 of the diagram when the webservers are responding to the request for content is where we encounter the issue. When the web boxes respond to the CSS with content they respond with incrementing source ports. These ports range from approx. 2000-65500. I am thinking that the CSS doesn't really care what the actual source port of the internet user is and assigns a source port from the incrementing range I described above. When the checkpoint FW see ports in the 6000-6063 range it recognizes them as X11 traffic and denies it b/c it is considered a security risk (or at least thats what I assume). When these packets are denied we lose access to those webservers for about 2 minutes untill the ports cycle out of the X11 range. I've also attached a screenshot of some of the loggs so that you can see the incrementing port numbers.

I have two possible soutions for this problem. The first is to add an extra rule in the FW and the second is to somehow exclude the 6000-6063 range in the CSS. Let me know if you have any further questoins. Thanks.

bc

Gilles Dufour · ‎05-03-2005

ok, it makes more sense like this.

The source port is being changed by the CSS because of the your group coniguration.

You can use the command 'portmap base-port 6100' under your group definition to tell the CSS to only use ports above 6100.

This should solve your problem.

Regards,

Gilles.

cantorb · ‎05-03-2005

Gilles,

Thanks for getting me off on the right foot. I knew what needed to be done just not how to do it! It makes perfect sense now that it would be a group comand! I guess hindsight is 20/20.

I did however find that there is a little more that needs to be done. It appears that the command you recommended should be used only after the following command is issued:

portmap number-of-ports 49984

I then used your command:

portmap base-port 6080

One thing of note is that the specific numbers in both commands above be multiples of 32. Once again thanks for the help!

bc