Creating a new Service Category
1. Go to Policy & Objects > Services.
2. Select Create New. A drop down menu is displayed. Select Category
3. Input a Name for the category..
4. Input any additional information in the Comments field.
5. Press OK.
Example of a New Category in the GUI
Field Value
Name Obscure Services
Comments Listing of obscure services being tested by the Development Team.
Example of a New Category in the CLI
config firewall service category edit “Obscure Services”
set comment “Listing of obscure services being tested by the Development Team.” end
Configuring a new service
Occasionally, the preconfigured list of services will not contain the needed service. There are a few variations in the creation of a service depending upon the protocol type, but the first steps in the creation of the service are common to all the variations.
To create a new service:
1. Go to Policy & Objects > Services.
2. Select Create New. A drop down menu is displayed. Select Service
3. Enter a name in the Name field for the new service
4. Include any description you would like in the Comments field
5. In the Service Type field choose between Firewall and Explicit Proxy. For the purposes of this chapter
Firewall will always be chosen. Explicit Proxy services covered are in the WAN-OPT Chapter.
6. Enable the toggle in the Show in Service List. If you can’t see the service when you need to select it, it serves very little purpose.
7. For the Category field, choose the appropriate category from the Category drop down menu. If none is chosen, the Uncategorized option will be chosen by default.
Protocol Options
This is the section where the configuration options of the service will differ depending on the type of protocol chosen. (The Step numbers will all continue on from the common step sequence)
TCP/UDP/SCTP
8. For the Protocol Type field, choose TCP/UDP/SCTP from the drop down menu
9. In the IP/FQDN field, an IP address or Fully Qualified Domain name can be entered if there is to be a specific destination for the service
10. Configure the Destination Port by:
- Select from the drop down menu, TCP, UDP or SCTP
- Enter the low end to the port range in the field indicated by grayed out Low.
- Enter the high end of the port range in the field indicated by grayed out High. If there is only a single port in the range High can be left empty
- Multiple ports or port ranges can be added by using the “+” at the beginning of the row
- Rows can be removed by using the trash can symbol at the end of the row
11. If required, you can Specify Source Ports for the service by enabling the toggle switch.
- The Src Port will match up with a Destination Port
- Src Ports cannot be configured without there being a value for the Destination Port
- The same rules for configuring the Destination Ports applies to the Src Ports
12. Select OK to confirm the configuration
Example
Example settings for a TCP protocol service. In this case, it is for an administrative connection to web servers on the DMZ. The protocol used is HTTPS which would normally use port 443, but that is already in use by another service such as Admin access to the firewall or an SSL-VPN connection.
Field Value
Name Example.com_WebAdmin
Comments Admin connection to Example.com Website
Service Type Firewall
Show in Service List enabled
Field Value
Category Web Access
Protocol Options
Protocol Type TCP/UDP/SCTP
IP/FQDN <left blank>
Destination Port l Protocol: TCP
l Low: 4300
l High: <left blank>
Specify Source Ports <disabled>