Add option to set application default port as a service port
The default-app-port-as-service option can be used in NGFW mode to set the application default port as a service port. This allows applications to match the policy and be blocked immediately the first time that traffic hits the firewall. When this option is enabled, the NGFW policy aggregates the ports used by the applications in the policy and performs a pre-match on the traffic. This has changed from previous behavior where the traffic must be identified by IPS first, and then policy matching occurs based on the matched port.
config system settings
set default-app-port-as-service {enable | disable}
end
|
This option can be configured on a per-VDOM level. |
This setting is enabled by default on new installations. When upgrading, the setting is disabled to retain the previous behavior.
To configure the application default port as service port:
- Configure the VDOM settings:
config system settings set vdom-type traffic set opmode nat set ngfw-mode policy-based set block-land-attack disable set default-app-port-as-service enable set application-bandwidth-tracking disable end - Configure the NGFW policy:
config firewall security-policy edit 1 set name "test" set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set internet-service-src disable set enforce-default-app-port enable set action accept next end
Sample logs
The following logging behavior occurs in NGFW mode with default-app-port-as-service:
-
When
default-app-port-as-serviceandenforce-default-app-portare enabled, traffic that does not match the default port is blocked immediately. Only a traffic log is generated.Log with SSH and FTP traffic:
1: date=2022-02-24 time=11:16:36 eventtime=1645730197145603994 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=40402 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=21 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=6811 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="FTP" trandisp="snat" transip=172.16.200.4 transport=40402 duration=10 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"
Log with SSH and FTP traffic with port 2121:
1: date=2022-02-24 time=11:19:20 eventtime=1645730360685614031 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=41362 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=2121 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=7213 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="tcp/2121" trandisp="snat" transip=172.16.200.4 transport=41362 duration=9 sentbyte=60 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appcat="unscanned"
-
When
default-app-port-as-serviceis disabled andenforce-default-app-portis enabled, traffic that does not match the default port is not blocked immediately. Application and traffic logs are generated.Traffic log with SSH and FTP traffic:
1: date=2022-02-24 time=11:21:51 eventtime=1645730511325606916 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=40408 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=21 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=7522 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="FTP" trandisp="snat" transip=172.16.200.4 transport=40408 duration=14 sentbyte=164 rcvdbyte=171 sentpkt=3 rcvdpkt=2 appid=15896 app="FTP" appcat="Network.Service" apprisk="elevated" utmaction="block" countapp=1 utmref=65501-0
Application log with SSH and FTP traffic:
2: date=2022-02-24 time=11:21:39 eventtime=1645730499338228209 tz="-0800" logid="1059028705" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="vd1" appid=15896 srcip=10.1.100.12 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcport=40408 dstport=21 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="FTP" direction="outgoing" policyid=0 sessionid=7522 action="block" appcat="Network.Service" app="FTP" incidentserialno=188744239 msg="Network.Service: FTP" apprisk="elevated"
Traffic log with SSH and FTP traffic with port 2121:
1: date=2022-02-24 time=11:24:25 eventtime=1645730665235613912 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=41366 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=2121 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=7876 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="tcp/2121" trandisp="snat" transip=172.16.200.4 transport=41366 duration=11 sentbyte=112 rcvdbyte=171 sentpkt=2 rcvdpkt=2 appid=15896 app="FTP" appcat="Network.Service" apprisk="elevated" utmaction="block" countapp=1 utmref=65500-0
Application log with SSH and FTP traffic with port 2121:
2: date=2022-02-24 time=11:24:16 eventtime=1645730656426052412 tz="-0800" logid="1060028736" type="utm" subtype="app-ctrl" eventtype="port-violation" level="warning" vd="vd1" appid=15896 srcip=10.1.100.12 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcport=41366 dstport=2121 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="FTP" direction="outgoing" policyid=0 sessionid=7876 action="block" appcat="Network.Service" app="FTP" incidentserialno=188744241 msg="Network.Service: FTP, non-default port used: 2121" apprisk="elevated"