Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
10
Helpful
1
Replies

Access Control Selected Destination Ports: Protocol=All vs TCP+UDP

Go to solution
Matt Craig
Level 1
Level 1

‎04-23-2018 02:50 PM - edited ‎02-21-2020 07:39 AM

In FMC Access Control rule, what is the difference between Selected Destination Ports "Protocol=All, Port=#" vs adding "Protocol=TCP, Port=#" and "Protocol=UDP, Port=#" separately.

 

For example, if policy needs to allow TCP (6): 53 and UDP (17): 53, I could add them in as such and have the rule take up 2 rows:

 

TCP (6): 53

UDP (17): 53

 

 

 

OR, I could technically enter "All: 53", and have the rule take up 1 row:

 

All: 53

 

 

 

What is the difference/consequence?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
salman abid
Level 1
Level 1

‎04-24-2018 03:49 AM

Hi Matt,

 

Creating policy with 

TCP (6): 53

UDP (17): 53

OR

All: 53

 

In both ways it'll work for you. But you need to understand the difference.

While creating policy you need to mention

Zones

Networks

VLAN Tags

Users

Application 

and then Ports

 

- Now if you mention ''DNS'' in Application section and leave ''Ports'' section empty then it'll take default ports which is 53 and also note that it'll call for layer7 inspection

- If you mention DNS in application section and tcp/udp:53 in ''Ports'' section then you're forcing the policy to allow the communication only if both conditions will be true. 

- If you leave Application section empty and mention tcp:53 or udp:53 then this condition will be true only if the configured (or i would say allowed) traffic will hit the SFR. But please not leaving ''Application'' section empty and just mention the port doesn't call for layer7 inspection.

- if you mention ''All'' as destination protocol with port:53 that means all the listed protocol in menu if comes with port 53, will be allowed.

 

 

i hope above has answered your concern.

 

**Please rate the answer if it helps you**

View solution in original post

1 Reply 1

Go to solution
salman abid
Level 1
Level 1

‎04-24-2018 03:49 AM

Hi Matt,

 

Creating policy with 

TCP (6): 53

UDP (17): 53

OR

All: 53

 

In both ways it'll work for you. But you need to understand the difference.

While creating policy you need to mention

Zones

Networks

VLAN Tags

Users

Application 

and then Ports

 

- Now if you mention ''DNS'' in Application section and leave ''Ports'' section empty then it'll take default ports which is 53 and also note that it'll call for layer7 inspection

- If you mention DNS in application section and tcp/udp:53 in ''Ports'' section then you're forcing the policy to allow the communication only if both conditions will be true. 

- If you leave Application section empty and mention tcp:53 or udp:53 then this condition will be true only if the configured (or i would say allowed) traffic will hit the SFR. But please not leaving ''Application'' section empty and just mention the port doesn't call for layer7 inspection.

- if you mention ''All'' as destination protocol with port:53 that means all the listed protocol in menu if comes with port 53, will be allowed.

 

 

i hope above has answered your concern.

 

**Please rate the answer if it helps you**

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card