we would like to restrict SMB egress ports traffic:
TCP 445 - SMB over TCP port.
TCP 137 - SMB over TCP port (via NetBIOS).
UDP 137 - SMB over UDP port (via NetBIOS).
UDP 138 - SMB over UDP port (via NetBIOS).
TCP 139 - SMB over TCP port (via NetBIOS).
SMB V3 ports
I was thinking of creating object-groups and access lists as follows:
hostname (config)# object-group service badports-udp udp
hostname (config-service)# port-object eq 69
hostname (config-service)# port-object eq 135
hostname (config-service)# port-object range 137 139
hostname (config-service)# port-object range 161 162
hostname (config-service)# port-object eq 514
hostname (config)# object-group service badports-tcp tcp
hostname (config-service)# port-object eq 135
hostname (config-service)# port-object range 137 139
hostname (config-service)# port-object eq 445
hostname (config-service)# port-object range 6660 6669
access-list 100 extended deny object-group badports-udp any any
access-list 100 extended deny object-group badports-tcp any any
However, while testing this concept on the packet tracer before implementing using 5506-X ASA
I am receiving the following error:
ERROR: Invalid object-group type
Either I have a syntax problem or my concept is flawed and I need to find another way to block that traffic.
How would you resolve this?