Create a port misuse policy to restrict traffic on a port to a specific
application. You configure a policy with specific port, protocol, and service rules to
specify when port misuse occurs, and what action the policy takes.
-
On the Main tab, click .
The Port Misuse screen opens.
-
Click Create.
The New Port Misuse Policy screen opens.
-
Type a name for the port misuse policy.
-
Type an optional description for the port misuse policy.
-
Select the Default Actions for the port misuse
policy.
- Select Drop on Service Mismatch to set a policy
default that drops packets when the service does not match the port, as
defined in the policy rules.
- Select Log on Service Mismatch to set a policy
default that logs service and port mismatches.
-
In the Rule Name field, type a name for a policy
rule.
-
From the Port list, select a port for the port matching
rule.
You can select from a list of commonly used ports, or select
Other and specify a port number.
-
From the IP Protocol list, select the IP protocol for
the port matching rule.
You can select TCP, UDP, or
SCTP.
-
From the Service list, select the service.
This setting configures the association between the service and port number.
Packets on this port that do not match the specified service type are dropped,
if Drop on Service Mismatch is applied to this
rule.
Important: You can specify a service on any port; you are
not limited to customary port and service pairings. You can configure any
service on any port as a rule in a port misuse policy.
-
From the Drop on Service Mismatch field, select the drop
behavior.
- Select Use Policy Default to use the default
action for packet drops, when the service does not match the port.
- Select Yes to drop packets when the service does
not match the port.
- Select No to allow packets when the service does
not match the port.
-
From the Log on Service Mismatch field, select the
logging behavior.
- Select Use Policy Default to use the default
action for logging packet drops, when the service does not match the
port.
- Select Yes to log dropped packets when the
service does not match the port.
- Select No to not log packet drops when the
service does not match the port.
-
Click Finished to save the port misuse policy.
The port misuse policy is now configured to drop packets for specified ports, when
the service does not match.
Select the port misuse policy in a service policy, and apply the service policy to
a self IP, route domain, firewall rule, or firewall rule list.