Link Search Menu Expand Document
OpenRMF Professional Help

Ports, Protocols, and Services Management

The Patch Scan uploads record all ports, protocols, and services for each device scanned. This information is pulled from the scans and saved by server to show which ports, protocols, and services are currently running on that device. This allows users who have Patch Administrator or System Owner rights to track the inbound and outbound access these services have over the network. The list of boundaries and the inbound and outbound descriptions are available with the help icon next to the table title.

To update the boundary information, you click the checkbox if it crosses that boundary. Then click the green save icon to the right in that row. The information is saved, the older record is saved for tracking and versioning, and any new listing or report will reflect that information immediately.

For those without rights to edit the data, they see an “X” in the column for the boundary crossed where it is applicable. The clock icon to the far right of each row shows edit history over time of that particular PPSM entry based on scans and manual updates of the boundary information.

You can click the Group By toggle and group all data by the port, protocol, and service. It will show the number of hosts that have that port, protocol, and service used instead of the individual hostname / device being shown.

Ports, Protocols, and Services

Uploading PPSM Items

You also can upload a list of PPSM items with the proper columns / fields to add or bulk edit (based on hostname, port, protocol, and service) items for your system package. If you are a System Owner for the package, you can click the Upload –> Ports, Protocols, Services List button and select a proper CSV, XLSX, or JSON file. There is sample data linked and listed below. This allows quick loading of software assets and descriptive information to use at your system package level.

Download a Sample XLSX as a starting point for uploading a spreadsheet or CSV file. You can also export the general PPSM listing from this page, edit the data, and upload that same file as well for bulk adding or updating the PPSM information.

The JSON for the file upload or a JSON post with data in the body for the external API is shown below.

[
    {
        "device": "DEGTHAT2",
        "networkClassification": "UNCLASSIFIED",
        "lowPort": "22",
        "highPort": "",
        "protocol": "tcp",
        "service": "ssh",
        "comments": "Used for local administration and scanning",
        "boundary1" : false,
        "boundary2" : false,
        "boundary3" : false,
        "boundary4" : false,
        "boundary5" : false,
        "boundary6" : false,
        "boundary7" : false,
        "boundary8" : false,
        "boundary9" : false,
        "boundary10" : false,
        "boundary11" : false,
        "boundary12" : false,
        "boundary13" : false,
        "boundary14" : false,
        "boundary15" : false,
        "boundary16" : false
    },
    {
        "device": "DEGTHAT3",
        "networkClassification": "UNCLASSIFIED",
        "lowPort": "22",
        "highPort": "",
        "protocol": "tcp",
        "service": "ssh",
        "comments": "Used for local administration and scanning",
        "boundary1" : false,
        "boundary2" : false,
        "boundary3" : false,
        "boundary4" : false,
        "boundary5" : false,
        "boundary6" : false,
        "boundary7" : false,
        "boundary8" : false,
        "boundary9" : false,
        "boundary10" : false,
        "boundary11" : false,
        "boundary12" : false,
        "boundary13" : false,
        "boundary14" : false,
        "boundary15" : false,
        "boundary16" : false
    }
]

Upload PPSM List

Example DoD Boundary Information is as follows:

  • Boundary 1/2 - Network traffic that flows directly to and from an external, non-DoD network to a DoD Network (major network structures managed by DoD to include NIPRNet, SIPRNet).
  • Boundary 3/4 - Network traffic that flows to and from an external network to a DoD-controlled DMZ. NOTE: A DoD DMZ is a screened subnet between a DoD network and an external non-DoD network. The DoD DMZ also acts as a special purpose gateway setup to proxy certain types of traffic to/from an external non-DoD network. Not all traffic goes to or passes through a DoD DMZ.
  • Boundary 5/6 - Network traffic that flows to and from a DoD DMZ into a DoD Network.
  • Boundary 7/8 - Network traffic that flows to and from a DoD Network directly into an enclave. An enclave represents a collection of computing environments connected by one or more internal networks under the control of a single authority and security policy, including personnel and physical security, with primary connection to a DoD network. The most common example is a single military service installation LAN connected to the NIPRNet. Other examples include a base, post, or command. (Note: this DOD Boundary is also referred to as the Navy B1)
  • Boundary 9/10 - Network traffic that flows to and from a DoD Network to an enclave DMZ. The enclave DMZ is a screened subnet that hosts public accessible services/activities for both external and internal networks, thus enforcing two separate security policies.
  • Boundary 11/12 - Network traffic that flows to and from an enclave DMZ to the internal nclave. You may also use these boundaries to indicate traffic to/from a legacy network or COI to NMCI (traffic that does not cross the DISN/DODIN), or between systems within the enclave that does not cross the DISN/DODIN.
  • Boundary 13/14 - Network traffic that flows to and from an enclave directly to a non-DoD network, typically through a dedicated communications channel or leased line.
  • Boundary 15 - Boundary 15 (Enclave-to-Enclave) represents a NIST FIPS 140 validated or NSA approved VPN tunnel (i.e. a site to site tunnel between enclaves) under the authority of multiple DAAs. The connection will be considered a Boundary 15 if the hosting Enclave exercises active control and enforces their security policy on the traffic contained within the VPN (i.e. filtering and blocking based on hosting Enclave policy)
  • Boundary 16 - Boundary 16 (Enclave-to-Enclave) represents a NIST FIPS 140 validated or NSA approved VPN tunnel (i.e., a geographically distributed extension of the Enclave) under the authority of the same DAA. The connection will be considered a Boundary 16 connection if the hosting Enclave only breaks the tunnel for inspection but exercises no control or policy enforcement on the traffic within the VPN (i.e. passive monitoring)

You can use this listing above or create your own mapping of what 01 through 16 means within your network topology.

Exporting the PPSM Listing to MS Excel

Click the Export button just to the right of the table listing to download all the data into a MS Excel (XLSX) spreadsheet containing all the information seen in the table. This can be used for data calls, reporting, and other requirements outside of using OpenRMF® Professional.

Manually Deleting PPSM Items

For items you manually add or upload from a list, you can choose the checkbox next to each PPSM item to select it for removal. Then choose the bulk menu to the top right of the listing and select Delete. Click the Apply button to remove the selected items. When done the records will be deleted from the listing.

Copyright © 2021 - 2025 Soteria Software LLC.
Do The Work. Automate the Paperwork!SM