Skip to main content

Security Policy Guide 25.3

Services

When workloads are paired with the PCE, the VEN discovers all running processes and services on a workload and makes those services available for use when writing rules. You can see those discovered services when you view the Processes tab on the Workload's details page.

However, you can also create your own to services to specify the service type, as well as the ports and protocols the services use to communicate.

Note

Service names can be unrestricted, for example, sc.exe qsidtypemyservice. You can write rules with unrestricted service IDs (SIDs). When there is a restricted SID, you should write rules without the SID. Including the service with a restricted SID type causes the traffic to be dropped and might cause traffic between the Reported view and Draft view to be reported inaccurately.

Service Types

When you create a service, you can choose one of two general types:

  • All OS: Port-Based:: This type of service can be used for writing rules for any workloads and is defined by specifying a port and protocol, a port range, or in some cases, only the protocol. For example: 80 TCP, 1000-2000 TCP, 500 UDP. For GRE or IPIP, you only need to specify the protocol.

  • Windows: Process/Service-Based: This type of service can be used for writing rules for Windows Workloads only, and is defined by specifying one of the following combinations or scenarios:

    • Port and/or Protocol, Windows Process, and Windows Service

      443 TCP c:\windows\myprocess.exe myservice

    • Port and/or Protocol and Windows Process

      443 TCP c:\windows\myprocess.exe

    • Port and/or Protocol and Windows Service

      443 TCP myservice

    • Windows Port and/or Protocol

      514 UDP

    • Windows Process

      c:\windows\myprocess.exe

    • Windows Service

      myservice

Windows Process-based Rules
Rules to Allow System Created Processes

You can create rules to allow all system-initiated processes in Windows. This approach allows all traffic related to drivers and other operating system modules. You can create a service of type Windows—process or service-based—with word “system” (case-insensitive) in the Port/Protocol text input field. Once you create this service, you can use it in rules.

To create a service that allows all system-initiated processes:

  1. From the PCE web console menu, choose Policy Objects > Services.

  2. Click Add.

  3. Enter a name and description for the service you are adding.

  4. ATTRIBUTES:

    Operating System

    To add a service definition, from the Operating System drop-down, select either All Operating Systems:Port Based , Windows Inbound: Process/Service-Based, or Windows Outbound: Process/Service-Based

    If you select All Operating Systems: Port-Based, you can only indicate a port, a protocol, or both, separating the port and protocol with a space. For example, port 512 TCP.

    If you select Windows Process/Service-Based, from the Port and/or Protocol drop-down, specify a port/protocol, a process or service, or a port/protocol with a process or service, separating the port and protocol with a space. For example, port 512 TCP, process C:\windows\myprocess.exe, and Windows service,myprocess.

    Service Definitions

    To remove a service definition, from the Operating System drop-down, select either All Operating Systems:Port Based or Windows Process/Service-Based:

    Click the check box next to the Port and/or Protocol. You may select a single or multiple entries.

    Click Remove.

Service Using Windows Environmental Variables

The Windows environmental variable can be used to specify the full path. This can be done by creating a Service of type Windows: Process or Service based with the environment variables in the Port Protocol text input field

Note

Currently, only the Windows System variable is supported for use in the process path. For example %systemroot%\myprocess.exe

Rules can be created to allow all system-initiated processes in Windows. This will allow all traffic related to drivers and other operating system modules. This can be done by placing the word system (case-insensitive) in the text input field.

To create a service that uses Windows environmental variables:

  1. From the PCE web console menu, choose Policy Objects > Services.

  2. Click Add.

  3. In the Name field, enter system (case-insensitive).

  4. From the Operating System drop-down list, select Windows: Process/Service-based.

  5. In Ports & Protocols, specify the port/protocol, separating the port and protocol with a space. For example:

    %systemroot%\myprocess.exe

  6. Click Save.