Firewall source/destination order question

Announcer
Getting noticed

Firewall source/destination order question

If I have a server on vlan2 192.168.1.7/24, and a pc on vlan3 192.168.2.7/24.  I need to open up the a Symantec antivirus port for the client to get definitions from the server.  Lets say it is TCP port 8900.  What would the firewall rule look like?

 

allow <protocol> <source subnet> <src port> <destination subnet> <dst port>

 

allow ,TCP, 192.168.1.0/24, 8900, 192.168.2.0/24, 8900?

Would the source be the server side or the client side? 

Would the source port be any and destination be 8900 or vice versa?

 

Thanks!

5 REPLIES 5
ww
Kind of a big deal
Kind of a big deal

 

The client source port is most time a random port. (But not always , best is to make a capture of the traffic and check yourself)

 

allow ,TCP, 192.168.1.0/24, any, 192.168.2.7, 8900?

alemabrahao
Kind of a big deal
Kind of a big deal

  • Source VLAN 3, port any, destination VLAN 2 port 8900
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Thanks @alemabrahao , just wondering why it wouldn't be 

source vlan2, port 8900, destination vlan3, port any?

RaphaelL
Kind of a big deal
Kind of a big deal

It depends on the direction of the flow. If the server is fetching the clients then it's vlan 2 -> vlan 3.  If it is the clients that are pushing to the server it's vlan 3 -> vlan 2.  

 

Really depends on WHO initiates the sessions. Like ww said , a packet capture would be a good indicator. That or refering to the network guide of that application

@RaphaelL  answered your question. 🙂

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels