?
Solved

Forigate Custom Firewall Service - Source Port Range Question

Posted on 2014-01-09
1
Medium Priority
?
878 Views
1 Endorsement
Last Modified: 2014-01-12
We have a fortigate 100D - v4.0, build0665, 130514 (MR3 Patch 14). I need to create a new service. When I look at the programming of one of the other custom services (port 83) as an example, I notice the source port has a range of 83 to 65535 and the destination port is set to only 83. Here is the CLI programming…

config firewall service custom
    edit "83"
        set protocol TCP/UDP/SCTP
        set tcp-portrange 83:83-65535
    next
end

I’m not sure why the range is set. Should it only be port 83 or should I set the range? I’m looking for the best practice and the pitfalls of using and/or not using the range.
1
Comment
Question by:SamSchulman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 26

Accepted Solution

by:
Soulja earned 2000 total points
ID: 39768157
The source ports should range from 1-65535 and your destinations port should be the port you are trying to access.

When sources connect to a destination through TCP/IP,  they will generate a random source port. That is why you want to allow that range. Now of course if your application uses a fixed source port for some reason you would use that, but most cases the source port is a range stated above.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question