ACL definition protocols/ports

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hi, It's possible to configure more than one protocol on the same line definition ?
I tried "protocol tcp,udp" but doesn't work.

When specifying a port, it's possible to add on the same line more than one ?
I tried :

destination-port 88; -> specify port 88
destination-port 88 - 90; -> specifies ports 88,89,90

It's possible to have an ACL policy file with e.g. protocols and ports definitions to be used by later by more than one policy ?

Photo of agd


  • 382 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 11,948 Points 10k badge 2x thumb
ACL have a "match all" rule, ie a logical AND. For such reason you cannot have several protocols definition, because no packet could match them all. A packet cannot be udp and tcp at the same time, for example.

Range of port is supported, you have it right.

The "match any" that you can find is for Routing Policies only.
Photo of agd


  • 382 Points 250 badge 2x thumb
If I want to specify a port list but they are not on a range, It's possible ?
e.g. I want to allow AD authentication, that haves different ports but they are not on a range, can I list on some way ?

I tried without success:

destination-port 88,389; 
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hello agd

The only way to specify more than one port is to have multiple entries in the same policy file.  For example you can have one entry that looks at source IP address and destination-port 88 and then entry #2 with the same source IP and destination port 389.

That would accomplish any packet that matches either scenario.

Let me know if that helps

Photo of agd


  • 382 Points 250 badge 2x thumb
Great ! Very clear.

It's possible to have a definition of ports on a file and then make a reference from another policy file ?