Filter
Top Products
6-86
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 6 Managing Policy Objects
Understanding and Specifying Services and Service and Port List Objects
Understanding and Specifying Services and Service and Port
List Objects
Many policies in Security Manager require that you identify a service to which the policy applies. A
service is a protocol and port definition that identifies a particular type of traffic. In many cases, you can
specify the service directly in the policy. You can also select service policy objects that define the
required services, or use a combination of service objects and policy-specific service designations.
Service objects are convenient because you can create objects to represent the composition of a
particular application, or you can model them after the logical organizations that exist on your network,
such as a development team or corporate department. There are two types of service policy object:
• Service group—Can contain one or more service, including other service objects. This is the type
of service object that was available in all Security Manager 3.x releases.
• Service object—Can contain a single service.
When configuring a policy that requires that you identify a service, you can select or create service
objects by clicking the Select button next to the Services field. To create a new service from the selection
dialog box, click the Add button beneath the service list and select a type: group or object. You can also
create services from the Policy Object Manager by selecting Services > Services from the table of
contents and clicking the Add Object button and selecting group or object. For information on the
specific fields available when creating a service object, see Configuring Service Objects, page 6-89.
Security Manager includes a comprehensive collection of predefined service group objects, including
ICMP messages and objects for commonly used services such as HTTP, Syslog, POP3, Telnet, and
SNMP. Before using a predefined service group object, you should review the object definition to verify
that it conforms to your network implementation. If the predefined object does not meet your needs (for
example, if you require different destination ports), you can create a new service object from scratch or
based on a copy of an existing object. For more information, see Cloning (Duplicating) Objects,
page 6-13.
Whether you are creating a service object or specifying services directly in a policy, you can specify
services using the following formats. As you type, Security Manager might prompt you with
text-completion options related to your entry. You can select a value from the list and press Enter or Tab.
You can enter more than one service by separating services with commas.
• protocol, where the protocol is 1-255 or a well known protocol name such as tcp, udp, gre, icmp,
and so forth. If you enter a number, Security Manager might convert it to the associated name.
• icmp/message_type/message_code, where the message type is 1 to 255 or a well-known ICMP
message type name such as echo, and the message code is 0 to 255 (for example,
icmp/unreachable/1 or icmp/echo-reply).
• icmp6/message_type/message_code, where the message type is 1 to 255 or a well-known ICMP
message type name such as echo, and the message code is 0 to 255 (for example,
icmp6/unreachable/1 or icmp6/echo-reply).
• {tcp | udp | tcp&udp}/{destination_port_number | port_list_object} where the destination port
number is 1-65535 or the name of a port list object. You can enter a range of ports using a hyphen,
for example, 10-20. The source port number is the Default Range port list object. The Default Range
object includes either all ports (1-65535) or all secure ports (1024-65535), depending on the setting
you select in the Policy Objects Page, page 11-47 (select Tools > Security Manager
Administration > Policy Objects).
For example, defining a service as tcp/10 means that 10 is the destination port and no source port is
defined.