04-23-2018 02:50 PM - edited 02-21-2020 07:39 AM
In FMC Access Control rule, what is the difference between Selected Destination Ports "Protocol=All, Port=#" vs adding "Protocol=TCP, Port=#" and "Protocol=UDP, Port=#" separately.
For example, if policy needs to allow TCP (6): 53 and UDP (17): 53, I could add them in as such and have the rule take up 2 rows:
TCP (6): 53
UDP (17): 53
OR, I could technically enter "All: 53", and have the rule take up 1 row:
All: 53
What is the difference/consequence?
Solved! Go to Solution.
04-24-2018 03:49 AM
Hi Matt,
Creating policy with
TCP (6): 53
UDP (17): 53
OR
All: 53
In both ways it'll work for you. But you need to understand the difference.
While creating policy you need to mention
Zones
Networks
VLAN Tags
Users
Application
and then Ports
- Now if you mention ''DNS'' in Application section and leave ''Ports'' section empty then it'll take default ports which is 53 and also note that it'll call for layer7 inspection
- If you mention DNS in application section and tcp/udp:53 in ''Ports'' section then you're forcing the policy to allow the communication only if both conditions will be true.
- If you leave Application section empty and mention tcp:53 or udp:53 then this condition will be true only if the configured (or i would say allowed) traffic will hit the SFR. But please not leaving ''Application'' section empty and just mention the port doesn't call for layer7 inspection.
- if you mention ''All'' as destination protocol with port:53 that means all the listed protocol in menu if comes with port 53, will be allowed.
i hope above has answered your concern.
**Please rate the answer if it helps you**
04-24-2018 03:49 AM
Hi Matt,
Creating policy with
TCP (6): 53
UDP (17): 53
OR
All: 53
In both ways it'll work for you. But you need to understand the difference.
While creating policy you need to mention
Zones
Networks
VLAN Tags
Users
Application
and then Ports
- Now if you mention ''DNS'' in Application section and leave ''Ports'' section empty then it'll take default ports which is 53 and also note that it'll call for layer7 inspection
- If you mention DNS in application section and tcp/udp:53 in ''Ports'' section then you're forcing the policy to allow the communication only if both conditions will be true.
- If you leave Application section empty and mention tcp:53 or udp:53 then this condition will be true only if the configured (or i would say allowed) traffic will hit the SFR. But please not leaving ''Application'' section empty and just mention the port doesn't call for layer7 inspection.
- if you mention ''All'' as destination protocol with port:53 that means all the listed protocol in menu if comes with port 53, will be allowed.
i hope above has answered your concern.
**Please rate the answer if it helps you**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide