Cisco Cisco Firepower Management Center 4000

Excluded values must resolve to a subset of included values. For example, you cannot include the 
address block 192.168.5.0/24 and exclude 192.168.6.0/24. An error message warns you and 
identifies the offending variable, and you cannot save your variable set when you exclude a value 
outside the range of included values.

For information on adding and editing network variables, see 

.

Protection

Port variables represent TCP and UDP ports you can use in the 

 and 

 header 

fields in intrusion rules that you enable in an intrusion policy. Port variables differ from port objects and 
port object groups in that port variables are specific to intrusion rules. You can create port objects for 
protocols other than TCP and UDP, and you can use port objects in various places in the system’s web 
interface, including port variables, access control policies, network discovery rules, and event searches. 
See 

 for more information.

You can use port variables in the intrusion rule 

 and 

 header fields to restrict 

packet inspection to packets originating from or destined to specific TCP or UDP ports.

When you use variables in these fields, the variable set you link to the intrusion policy associated with 
an access control rule or policy determines the values for these variables in the network traffic where 
you apply the access control policy.

You can add any combination of the following port configurations to a variable:

any combination of port variables and port objects that you select from the list of available ports

Note that the list of available ports does not display port object groups, and you cannot add these to 
variables. See 

 for information on creating port objects using 

the object manager.

individual port objects that you add from the New Variable or Edit Variable page, and can then add 
to your variable and to other existing and future variables

Only TCP and UDP ports, including the value 

any

 for either type, are valid variable values. If you 

use the new or edit variables page to add a valid port object that is not a valid variable value, the 
object is added to the system but is not displayed in the list of available objects. When you use the 
object manager to edit a port object that is used in a variable, you can only change its value to a valid 
variable value.

single, literal port values and port ranges

You must separate port ranges with a dash (-). Port ranges indicated with a colon (:) are supported 
for backward compatibility, but you cannot use a colon in port variables that you create.

You can list multiple literal port values and ranges by adding each individually in any combination.

Note the following points when adding or editing port variables:

The default value for included ports in any variable you add is the word 

any

, which indicates any 

port or port range. The default value for excluded ports is none, which indicates no ports.

To create a variable with the value 

any

, name and save the variable without adding a specific value.

You cannot logically exclude the value 

any

 which, if excluded, would indicate no ports. For 

example, you cannot save a variable set when you add a variable with the value 

any

 to the list of 

excluded ports.