08-18-2008 02:59 AM
one of my customers and I are wondering, how to implement a DI with a policy, that matches
traffic for MS-SQL services not running on well-known-ports. While one has to specifiy an
application inside the policy configuration for DI, this cannot be done with MS-SQL, because
there is no application like SQL or MS-SQL.
Usually one has to select the propper application for a protocol, that has cutomer ports or port
ranges (version 6.0.0.x, C&E Volume 4, page 152):
- - - - - -
When using a custom service in a policy with a Deep Inspection (DI) component,
you must explicitly specify the application that is running on that service so that the
DI module can function properly. For example, if you create a custom service for
FTP running on a nonstandard port number such as 2121 (see Figure 52), you can
reference that custom service in a policy as follows:
set service ftp-custom protocol tcp src-port 0-65535 dst-port 2121-2121
set policy id 1 from untrust to trust any ftp-srv1 custom-ftp permit
However, if you add a DI component to a policy that references a custom service,
the DI module cannot recognize the application because it is using a nonstandard
- - - - - -
So, how is one able to solve this for MS-SQL? Or would you call this a build-in limitation
for "Deep Inspection" on SSG devices?
With kind regards,
Solved! Go to Solution.
08-18-2008 04:42 PM
MS-SQL is not on the list of supported protocols for DI. The list can be found in ScreenOS Concepts & Examples Guide, Volume 4.
In particular, page 129 has the list of available protocols for which DI attack objects exist.