04-04-2008 06:11 PM - edited 03-11-2019 05:27 AM
Say I have..
object-group service PORT-Web-App tcp
port-object eq 6400
port-object eq 6500
port-object eq 8800
..and a few days later I configure
conf t
object-group service PORT-Web-App tcp
port-object eq 4000
port-object eq 6100
the result is
object-group service PORT-Web-App tcp
port-object eq 6400
port-object eq 6500
port-object eq 8800
port-object eq 4000
port-object eq 6100
Is there any way to resequence the object so it would appear like this in the config?
object-group service PORT-Web-App tcp
port-object eq 4000
port-object eq 6100
port-object eq 6400
port-object eq 6500
port-object eq 8800
Solved! Go to Solution.
04-04-2008 08:27 PM
This solution is a very simple one:
Original:
object-group service test tcp
port-object eq 8080
port-object eq 8081
port-object eq 8082
port-object eq 22
port-object eq 21
port-object eq 23
port-object eq 8000
access-list External extended permit icmp any any log
access-list External extended permit tcp any any object-group test log
Now you want to re-arrange so that it will look something WITHOUT disrupting the traffics:
object-group service test tcp
port-object eq 21
port-object eq 22
port-object eq 23
port-object eq 8000
port-object eq 8080
port-object eq 8081
port-object eq 8082
what you will do is this:
1- create a temp group-object:
object-group service temp tcp
port-object eq 21
port-object eq 22
port-object eq 23
port-object eq 8000
port-object eq 8080
port-object eq 8081
port-object eq 8082
2- put this group-object inside test group:
object-group service test tcp
group-object temp
3- Now remove the following lines inside test:
no port-object eq 8080
no port-object eq 8081
no port-object eq 8082
no port-object eq 22
no port-object eq 21
no port-object eq 23
no port-object eq 8000
port-object eq 21
port-object eq 22
port-object eq 23
port-object eq 8000
port-object eq 8080
port-object eq 8081
port-object eq 8082
no group-object temp
You will NOT disrupt any live traffics and
achieving your requirements.
This is the reason why I hate Pix. A very
complicate and stupid way of doing something very simple as this.
CCIE Security
04-04-2008 06:18 PM
Yes you can.
object-group service PORT-Web-App tcp
no port-object eq 6400
no port-object eq 6500
no port-object eq 8800
no port-object eq 4000
no port-object eq 6100
port-object eq 4000
port-object eq 6100
port-object eq 6400
port-object eq 6500
port-object eq 8800
HTH
Rgds
Jorge
04-04-2008 06:26 PM
Well fair enough. Guess I have to be more specific. :-) Removing ports temporarily would run the risk of interrupting conversations passing through the device. Is there any non-destructive way to sequence the service object group?
04-04-2008 06:52 PM
You may have to plan a change , the esiest way is to simply from a notepad text editor prepare the script copy and past it in firewall, I see no other way to no cause seconds disruption, if say you create another new object-group with proper sequencing you still will need to change the access lists mapped to old object-group to new object-group thus causing also disruption not to mention how many access-lists are using the old object-group.
Rgds
Jorge
04-04-2008 08:27 PM
This solution is a very simple one:
Original:
object-group service test tcp
port-object eq 8080
port-object eq 8081
port-object eq 8082
port-object eq 22
port-object eq 21
port-object eq 23
port-object eq 8000
access-list External extended permit icmp any any log
access-list External extended permit tcp any any object-group test log
Now you want to re-arrange so that it will look something WITHOUT disrupting the traffics:
object-group service test tcp
port-object eq 21
port-object eq 22
port-object eq 23
port-object eq 8000
port-object eq 8080
port-object eq 8081
port-object eq 8082
what you will do is this:
1- create a temp group-object:
object-group service temp tcp
port-object eq 21
port-object eq 22
port-object eq 23
port-object eq 8000
port-object eq 8080
port-object eq 8081
port-object eq 8082
2- put this group-object inside test group:
object-group service test tcp
group-object temp
3- Now remove the following lines inside test:
no port-object eq 8080
no port-object eq 8081
no port-object eq 8082
no port-object eq 22
no port-object eq 21
no port-object eq 23
no port-object eq 8000
port-object eq 21
port-object eq 22
port-object eq 23
port-object eq 8000
port-object eq 8080
port-object eq 8081
port-object eq 8082
no group-object temp
You will NOT disrupt any live traffics and
achieving your requirements.
This is the reason why I hate Pix. A very
complicate and stupid way of doing something very simple as this.
CCIE Security
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: