Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2265
Views
1
Helpful
5
Replies

Is there a way to group UDP and TCP services?

Go to solution
0r8it
Level 1
Level 1

‎06-15-2006 01:32 AM - edited ‎03-09-2019 03:15 PM

Hi there,

We're currently doing a migration from some Checkpoint firewalls to PIX 7.x. The ASDM has advanced tremendously since PDM on 6.x, and I'm starting to think it might be of value to use it, versus the CLI.

But one thing we've noticed: Checkpoint has a handy feature that allows the creation of 'service-groups' that can have both UDP and TCP services together.

This makes the Checkpoint rulebase easy to read. On the PIX at present, where its been necessary to have both udp and tcp permitted to a destination, I've had to create 2 separate acl's, one for udp, one for tcp.

Anyone know of a way to unite tcp and udp together in one group? I have a feeling the answer is no, as its not possible in the CLI, and the ASDM is, I think, just a 'visualisation' of the CLI.

TIA-

Gary

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Fernando_Meza
Level 7
Level 7

‎06-15-2006 02:28 AM

Hi .. sure you can use the object group service command ( I can't remember hhow to do it from the GUI as I don't have it in front of me right now ). You c an group udp ports, tcp ports or tcp and udp as well very similar to the way you can do it on Checkpoint.

object-group

To define object groups that you can use to optimize your configuration, use the object-group command

in global configuration mode. Use the no form of this command to remove object groups from the

configuration. This command supports IPv4 and IPv6 addresses.

object-group {protocol | network | icmp-type} obj_grp_id

no object-group {protocol | network | icmp-type} obj_grp_id

object-group service obj_grp_id {tcp | udp | tcp-udp}

I hope it helps ... please rate it if it does !!!

View solution in original post

Go to solution
grant.maynard
Level 4
Level 4
In response to 0r8it

‎06-21-2006 03:34 AM

I don't think you're missing anything: you can't mix tcp and udp.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Fernando_Meza
Level 7
Level 7

‎06-15-2006 02:28 AM

Hi .. sure you can use the object group service command ( I can't remember hhow to do it from the GUI as I don't have it in front of me right now ). You c an group udp ports, tcp ports or tcp and udp as well very similar to the way you can do it on Checkpoint.

object-group

To define object groups that you can use to optimize your configuration, use the object-group command

in global configuration mode. Use the no form of this command to remove object groups from the

configuration. This command supports IPv4 and IPv6 addresses.

object-group {protocol | network | icmp-type} obj_grp_id

no object-group {protocol | network | icmp-type} obj_grp_id

object-group service obj_grp_id {tcp | udp | tcp-udp}

I hope it helps ... please rate it if it does !!!

Go to solution
0r8it
Level 1
Level 1
In response to Fernando_Meza

‎06-15-2006 03:43 AM

Thanks for answering, Fernando.

Let me qualify a little, I think my question was a little unclear.

On PIX, you can create a service group-object that can be either tcp, udp, or tcp-udp (where the service can use both kinds of transport.)

If you create a service group object called, for example, test-group, and define this a a tcp group, you then have a couple of options:

1)you can create individual tcp service objects and embed them in the group

2)you can add another service object group to this group (for example, one called sub-group).

However, with both options 1 and 2, the elements of the group must have the same transport-type as the 'parent-group'. So, in this case, they must all be tcp.

So: if I have created a service group object called, test-group, and defined this a a tcp group, I can add the following to this group:

1)individual tcp service objects (eg, tcp 80, tcp 443)

OR

2)another tcp service object group to this group (eg, one called sub-group).

However, what I cant seem to be able to do is:

Create a service group object called test-group, define this a a tcp-udp group, and add:

1)some individual tcp service objects (eg, tcp 80, tcp 443)

OR

2)another tcp service object group to this group.

As the top-level group object is tcp-udp, logically, all members of this group must also be tcp-udp.

This can be done in Checkpoint: a plain old group can be created and then any kind of service placed within it.

So, am I missing something, or can you create a group and add any kind of udp or tcp service within it?

my best regards to you-

Gary

0 Helpful

Go to solution
grant.maynard
Level 4
Level 4
In response to 0r8it

‎06-21-2006 03:34 AM

I don't think you're missing anything: you can't mix tcp and udp.

0 Helpful

Go to solution
0r8it
Level 1
Level 1
In response to grant.maynard

‎06-21-2006 06:05 AM

Thanks Grant,

again, you're on the money. There does not seem to be a way to do this. A shame, really- it would make configs a whole lot neater.

regards-

0 Helpful

Go to solution
mark.hansel
Level 1
Level 1
In response to Fernando_Meza

‎09-27-2006 09:26 AM

I agree that this is how it should work; however I've "played" with TCP-UDP Service Groups and it appears to me that adding a port object to TCP-UDP service groups appears to only add a UDP port ACL entry, it does not add both. Is this a bug or am I missing something here.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents