Solved: Resquence ports in Pix service object-group?

mmedwid · ‎04-04-2008

Say I have..

object-group service PORT-Web-App tcp

port-object eq 6400

port-object eq 6500

port-object eq 8800

..and a few days later I configure

conf t

object-group service PORT-Web-App tcp

port-object eq 4000

port-object eq 6100

the result is

object-group service PORT-Web-App tcp

port-object eq 6400

port-object eq 6500

port-object eq 8800

port-object eq 4000

port-object eq 6100

Is there any way to resequence the object so it would appear like this in the config?

object-group service PORT-Web-App tcp

port-object eq 4000

port-object eq 6100

port-object eq 6400

port-object eq 6500

port-object eq 8800

cisco24x7 · ‎04-04-2008

This solution is a very simple one:

Original:

object-group service test tcp

port-object eq 8080

port-object eq 8081

port-object eq 8082

port-object eq 22

port-object eq 21

port-object eq 23

port-object eq 8000

access-list External extended permit icmp any any log

access-list External extended permit tcp any any object-group test log

Now you want to re-arrange so that it will look something WITHOUT disrupting the traffics:

object-group service test tcp

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

what you will do is this:

1- create a temp group-object:

object-group service temp tcp

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

2- put this group-object inside test group:

object-group service test tcp

group-object temp

3- Now remove the following lines inside test:

no port-object eq 8080

no port-object eq 8081

no port-object eq 8082

no port-object eq 22

no port-object eq 21

no port-object eq 23

no port-object eq 8000

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

no group-object temp

You will NOT disrupt any live traffics and

achieving your requirements.

This is the reason why I hate Pix. A very

complicate and stupid way of doing something very simple as this.

CCIE Security

View solution in original post

JORGE RODRIGUEZ · ‎04-04-2008

Yes you can.

object-group service PORT-Web-App tcp

no port-object eq 6400

no port-object eq 6500

no port-object eq 8800

no port-object eq 4000

no port-object eq 6100

port-object eq 4000

port-object eq 6100

port-object eq 6400

port-object eq 6500

port-object eq 8800

HTH

Rgds

Jorge

Jorge Rodriguez

mmedwid · ‎04-04-2008

Well fair enough. Guess I have to be more specific. :-) Removing ports temporarily would run the risk of interrupting conversations passing through the device. Is there any non-destructive way to sequence the service object group?

JORGE RODRIGUEZ · ‎04-04-2008

You may have to plan a change , the esiest way is to simply from a notepad text editor prepare the script copy and past it in firewall, I see no other way to no cause seconds disruption, if say you create another new object-group with proper sequencing you still will need to change the access lists mapped to old object-group to new object-group thus causing also disruption not to mention how many access-lists are using the old object-group.

Rgds

Jorge

Jorge Rodriguez

cisco24x7 · ‎04-04-2008

This solution is a very simple one:

Original:

object-group service test tcp

port-object eq 8080

port-object eq 8081

port-object eq 8082

port-object eq 22

port-object eq 21

port-object eq 23

port-object eq 8000

access-list External extended permit icmp any any log

access-list External extended permit tcp any any object-group test log

Now you want to re-arrange so that it will look something WITHOUT disrupting the traffics:

object-group service test tcp

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

what you will do is this:

1- create a temp group-object:

object-group service temp tcp

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

2- put this group-object inside test group:

object-group service test tcp

group-object temp

3- Now remove the following lines inside test:

no port-object eq 8080

no port-object eq 8081

no port-object eq 8082

no port-object eq 22

no port-object eq 21

no port-object eq 23

no port-object eq 8000

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

no group-object temp

You will NOT disrupt any live traffics and

achieving your requirements.

This is the reason why I hate Pix. A very

complicate and stupid way of doing something very simple as this.

CCIE Security