Security policy matching exception
- 0 Followed
- 0Collected ,733Browsed
Network Topology
Not involving
Problem Description
A security policy was configured on-site and the service was used to limit the port filtering. It was found that traffic from non-configured ports could also pass through matching this policy.
Process Analysis
Check the configuration of the site:
#
rule 16 name untrust-to-trust
logging enable
counting enable
source-zone Untrust
destination-zone Trust
service 135&445
#
object-group service 135&445
0 service tcp destination eq 135
5 service tcp destination eq 137
10 service udp destination eq 135
15 service udp destination eq 137
20 service udp destination eq 445
25 service tcp destination eq 139
30 service tcp destination eq 445
35 service tcp source eq 139
40 service tcp source eq 445
45 service udp destination eq 139
50 service udp source eq 445
60 service udp source eq 135
70 service tcp source eq 135
80 service tcp destination eq 14444
85 service tcp source eq 14444
90 service udp source eq 14444
95 service udp destination eq 14444
100 service udp source eq 3333
105 service tcp source eq 3333
#
It was found that both the source port and the destination port were configured under the same service on site. After checking the software manual, it was found that there were product restrictions.
If the security policy (default acceleration) and the object policy enable acceleration, a rule referencing a nested service object group will perform or operations on all source and destination ports (e.g., the source port is from 0 to 65535 and the destination port is from 0 to 65535, and after acceleration is enabled, the source and destination ports will become from 0 to 65535), resulting in a full throughput of traffic.
Avoidance measures: In scenarios where the source port and destination port need to be configured, create two rules and reference the service object group respectively.
Therefore, in the field, all ports will be matched, and the source port and destination port must be configured separately.
Solution
Split the object group into two, one source and one destination, write the security policy separately, and call the source and destination object groups respectively.