04-04-2008 06:11 PM - edited 03-11-2019 05:27 AM
Say I have..
object-group service PORT-Web-App tcp
port-object eq 6400
port-object eq 6500
port-object eq 8800
..and a few days later I configure
conf t
object-group service PORT-Web-App tcp
port-object eq 4000
port-object eq 6100
the result is
object-group service PORT-Web-App tcp
port-object eq 6400
port-object eq 6500
port-object eq 8800
port-object eq 4000
port-object eq 6100
Is there any way to resequence the object so it would appear like this in the config?
object-group service PORT-Web-App tcp
port-object eq 4000
port-object eq 6100
port-object eq 6400
port-object eq 6500
port-object eq 8800
Solved! Go to Solution.
04-04-2008 08:27 PM
This solution is a very simple one:
Original:
object-group service test tcp
port-object eq 8080
port-object eq 8081
port-object eq 8082
port-object eq 22
port-object eq 21
port-object eq 23
port-object eq 8000
access-list External extended permit icmp any any log
access-list External extended permit tcp any any object-group test log
Now you want to re-arrange so that it will look something WITHOUT disrupting the traffics:
object-group service test tcp
port-object eq 21
port-object eq 22
port-object eq 23
port-object eq 8000
port-object eq 8080
port-object eq 8081
port-object eq 8082
what you will do is this:
1- create a temp group-object:
object-group service temp tcp
port-object eq 21
port-object eq 22
port-object eq 23
port-object eq 8000
port-object eq 8080
port-object eq 8081
port-object eq 8082
2- put this group-object inside test group:
object-group service test tcp
group-object temp
3- Now remove the following lines inside test:
no port-object eq 8080
no port-object eq 8081
no port-object eq 8082
no port-object eq 22
no port-object eq 21
no port-object eq 23
no port-object eq 8000
port-object eq 21
port-object eq 22
port-object eq 23
port-object eq 8000
port-object eq 8080
port-object eq 8081
port-object eq 8082
no group-object temp
You will NOT disrupt any live traffics and
achieving your requirements.
This is the reason why I hate Pix. A very
complicate and stupid way of doing something very simple as this.
CCIE Security
04-04-2008 06:18 PM
Yes you can.
object-group service PORT-Web-App tcp
no port-object eq 6400
no port-object eq 6500
no port-object eq 8800
no port-object eq 4000
no port-object eq 6100
port-object eq 4000
port-object eq 6100
port-object eq 6400
port-object eq 6500
port-object eq 8800
HTH
Rgds
Jorge
04-04-2008 06:26 PM
Well fair enough. Guess I have to be more specific. :-) Removing ports temporarily would run the risk of interrupting conversations passing through the device. Is there any non-destructive way to sequence the service object group?
04-04-2008 06:52 PM
You may have to plan a change , the esiest way is to simply from a notepad text editor prepare the script copy and past it in firewall, I see no other way to no cause seconds disruption, if say you create another new object-group with proper sequencing you still will need to change the access lists mapped to old object-group to new object-group thus causing also disruption not to mention how many access-lists are using the old object-group.
Rgds
Jorge
04-04-2008 08:27 PM
This solution is a very simple one:
Original:
object-group service test tcp
port-object eq 8080
port-object eq 8081
port-object eq 8082
port-object eq 22
port-object eq 21
port-object eq 23
port-object eq 8000
access-list External extended permit icmp any any log
access-list External extended permit tcp any any object-group test log
Now you want to re-arrange so that it will look something WITHOUT disrupting the traffics:
object-group service test tcp
port-object eq 21
port-object eq 22
port-object eq 23
port-object eq 8000
port-object eq 8080
port-object eq 8081
port-object eq 8082
what you will do is this:
1- create a temp group-object:
object-group service temp tcp
port-object eq 21
port-object eq 22
port-object eq 23
port-object eq 8000
port-object eq 8080
port-object eq 8081
port-object eq 8082
2- put this group-object inside test group:
object-group service test tcp
group-object temp
3- Now remove the following lines inside test:
no port-object eq 8080
no port-object eq 8081
no port-object eq 8082
no port-object eq 22
no port-object eq 21
no port-object eq 23
no port-object eq 8000
port-object eq 21
port-object eq 22
port-object eq 23
port-object eq 8000
port-object eq 8080
port-object eq 8081
port-object eq 8082
no group-object temp
You will NOT disrupt any live traffics and
achieving your requirements.
This is the reason why I hate Pix. A very
complicate and stupid way of doing something very simple as this.
CCIE Security
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide