Port Groups

Overview

A port group allows you to group port numbers used in TCP and UDP communications by topic and apply them to detection policies. It is used for detecting access to specific ports and analyzing abnormal behavior.

Search Port Group

You can view or search the list of port groups under Policies > Port Groups.

  • Name: Unique name of the port group
  • Description: Detailed information about the port group
  • Owner: User account that added the port group
  • Modifies At: Date the port group was created or last modified

To find a specific port group in the list, use the search tool in the toolbar. The search tool finds port groups containing the entered keyword in Name or Description. The search is not case-sensitive.

Download Port Group List

To download the port group list to your local PC, click Download in the toolbar.

Refresh Port Group List

To update the port group list with the latest information, click Refresh in the toolbar.

Add Port Group

To add a port group:

  1. In Policies > Port Groups, click Add in the toolbar.

  2. In the Add Port Group dialog box, enter the required values and click OK

    <!-- ![Add port group](create-port-group-1.png) -->
    • Name: Port group name (up to 50 characters)
    • Description: Detailed description (up to 2,000 characters)

Edit Port Group

To edit a port group:

  1. In the Port Group list, click the name of the port group you want to edit.

  2. In the Edit Port Group screen, edit the port group and click Save.

Search Port

To locate a specific port registered within a port group:

  1. In the Port Group list, click the port group in which you want to search for ports.

  2. You can see the list of registered ports in the Edit Port Group screen.

    • Protocol: Transport layer protocol (TCP, UDP)
    • Range: Port number range
    • Description: Description of the port

The Edit Port Group screen also supports search functionality. The search tool finds ports containing the entered keyword in Range or Description. The search is not case-sensitive.

Add Port

To add a port to a port group:

  1. In the Edit Port Group screen, click Add in the toolbar.

  2. In the Add Port dialog box, enter the port details and click OK.

    • Protocol: Protocol of the port (Options: TCP, UDP; Default: TCP)
    • Start: Starting port number (0–65,535)
    • End: Ending port number (0–6,5535). To register a single port, enter the same number in both the Start and End fields.
    • Description: Detailed description (up to 255 characters)
Edit Port

To edit a port registered in a port group:

  1. In the Edit Port Group screen, click Edit in the row of the port you want to modify.
  2. In the Edit Port dialog box, modify the port details and click OK.
Delete Port

To delete a registered port from a port group:

  1. In the Edit Port Group screen, select the checkbox for the port you want to delete.
  2. Click Delete in the toolbar.
  3. In the Delete Port dialog box, check the ports to delete and click Delete. To cancel, click Cancel.

Using Port Group

Port groups can be used in the following ways:

Scenario Builder

In Policy > Stream Rules, you can build a scenario to check whether a suspicious IP address is already registered in an address group.

-->

The following table summarizes port group-related rules available in the scenario builder when the input field type is PORT. For more details, refer to Rules and Parameters by Field Type.

RuleParameterRangeDescription
Included in Port GroupTarget port groupSelect port group.Filters field values included in the port group.
Query

When adding or modifying a detection rule in Policies > Stream Rules or Policies > Batch Rules, you can use the matchport command or matchport()) function to utilize port groups. Keep in mind that port gorups can be used in any feature that supports query input.

To use the matchport command or matchport()) function, you need to know the port group’s GUID. The GUID can be found in the browser’s address bar.

Delete Port Group

To delete a port group:

  1. In the port group list, select the checkbox for the port group you want to delete.
  2. Click Delete in the toolbar.
  3. In the Delete Port Group dialog box, review the list of port groups to be deleted, then click Delete. To cancel, click Cancel.
Caution
Deleting a port group referenced in a batch or stream rule may cause the rule to function incorrectly.