Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
965
Views
0
Helpful
4
Replies

Create Rule blocking programm.

n.avramenko87
Level 1
Level 1

‎12-26-2017 02:45 AM - edited ‎02-21-2020 07:02 AM

Hello. friends! I need your advice. 

In my lan I blocked TeamVeiwer and AmmyAdmin. All good.
But now I want to deny another application - LiteManagerFree (This is  Remote access programm).
So I have problem.This program used ports - 5651, 5650.
What I done:
Create new application detector.
Add ports that a need.
Add this application to blocked im my access control policy.
But it does not work. (This Rule works for Teamviewer and Ammy).

Thank you!!!

Labels:
Preview file
143 KB
Preview file
33 KB
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-26-2017 05:33 AM

Have you confirmed the ports in use via analysis of a connection record or packet capture?

 

Have you tried doing a straight block on the tcp and udp destination ports vs using an application? (This would require its own entry in the ACP.)

0 Helpful

n.avramenko87
Level 1
Level 1
In response to Marvin Rhoads

‎12-26-2017 06:06 AM

Thank you for your time!
1. About analysis. Is it right that aI need used Network Descovery?
Or what you mean about analysis?
I must see this application in application detectors?
2. I tried to take only two ports - 5651, 5650 and block it. This blocking rule was before (above) rule that blocked TeamVeiwer. But workink only blocking TeamVeiwer((

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to n.avramenko87

‎12-26-2017 06:25 AM

You're welcome.

 

Regarding analysis I mean just looking at connection record of a host that you use to test the rule and visually confirming that the expected port numbers are the ones in use.

 

Your outcome of simple port blocking not having the expected effect leads me to believe that either the application isn't using only those ports or something else is going on with your rules. I do note from the product web site that one can specify non-standard ports for use. You can try packet-tracer from the cli or from the GUI to see what rule is allowing or preventing the flow.

 

I am also thinking that, depending on where the server and client are located, you may need to have a rule blocking 5650 and 5651 in both directions (one inbound and one outbound).

0 Helpful

n.avramenko87
Level 1
Level 1
In response to Marvin Rhoads

‎12-27-2017 12:26 AM

Thank you for your vision! I will try to do this.
But how FP blocked TeamVeiwer? I think it is not blocked ports for deny. It looks on packets of Team Veiwer(on packets header). Is it right?
May be I can do it for my programm? (for blocking)
Thank you for your time!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card