cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1842
Views
0
Helpful
4
Replies

Resquence ports in Pix service object-group?

mmedwid
Level 3
Level 3

Say I have..

object-group service PORT-Web-App tcp

port-object eq 6400

port-object eq 6500

port-object eq 8800

..and a few days later I configure

conf t

object-group service PORT-Web-App tcp

port-object eq 4000

port-object eq 6100

the result is

object-group service PORT-Web-App tcp

port-object eq 6400

port-object eq 6500

port-object eq 8800

port-object eq 4000

port-object eq 6100

Is there any way to resequence the object so it would appear like this in the config?

object-group service PORT-Web-App tcp

port-object eq 4000

port-object eq 6100

port-object eq 6400

port-object eq 6500

port-object eq 8800

1 Accepted Solution

Accepted Solutions

This solution is a very simple one:

Original:

object-group service test tcp

port-object eq 8080

port-object eq 8081

port-object eq 8082

port-object eq 22

port-object eq 21

port-object eq 23

port-object eq 8000

access-list External extended permit icmp any any log

access-list External extended permit tcp any any object-group test log

Now you want to re-arrange so that it will look something WITHOUT disrupting the traffics:

object-group service test tcp

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

what you will do is this:

1- create a temp group-object:

object-group service temp tcp

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

2- put this group-object inside test group:

object-group service test tcp

group-object temp

3- Now remove the following lines inside test:

no port-object eq 8080

no port-object eq 8081

no port-object eq 8082

no port-object eq 22

no port-object eq 21

no port-object eq 23

no port-object eq 8000

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

no group-object temp

You will NOT disrupt any live traffics and

achieving your requirements.

This is the reason why I hate Pix. A very

complicate and stupid way of doing something very simple as this.

CCIE Security

View solution in original post

4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

Yes you can.

object-group service PORT-Web-App tcp

no port-object eq 6400

no port-object eq 6500

no port-object eq 8800

no port-object eq 4000

no port-object eq 6100

port-object eq 4000

port-object eq 6100

port-object eq 6400

port-object eq 6500

port-object eq 8800

HTH

Rgds

Jorge

Jorge Rodriguez

Well fair enough. Guess I have to be more specific. :-) Removing ports temporarily would run the risk of interrupting conversations passing through the device. Is there any non-destructive way to sequence the service object group?

You may have to plan a change , the esiest way is to simply from a notepad text editor prepare the script copy and past it in firewall, I see no other way to no cause seconds disruption, if say you create another new object-group with proper sequencing you still will need to change the access lists mapped to old object-group to new object-group thus causing also disruption not to mention how many access-lists are using the old object-group.

Rgds

Jorge

Jorge Rodriguez

This solution is a very simple one:

Original:

object-group service test tcp

port-object eq 8080

port-object eq 8081

port-object eq 8082

port-object eq 22

port-object eq 21

port-object eq 23

port-object eq 8000

access-list External extended permit icmp any any log

access-list External extended permit tcp any any object-group test log

Now you want to re-arrange so that it will look something WITHOUT disrupting the traffics:

object-group service test tcp

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

what you will do is this:

1- create a temp group-object:

object-group service temp tcp

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

2- put this group-object inside test group:

object-group service test tcp

group-object temp

3- Now remove the following lines inside test:

no port-object eq 8080

no port-object eq 8081

no port-object eq 8082

no port-object eq 22

no port-object eq 21

no port-object eq 23

no port-object eq 8000

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

no group-object temp

You will NOT disrupt any live traffics and

achieving your requirements.

This is the reason why I hate Pix. A very

complicate and stupid way of doing something very simple as this.

CCIE Security

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: