Services

Creating a new ICMP service in the CLI

The following is the creation of the same service using the command line.

 

config firewall service custom edit ICMP test4

set comment “For QNX communications to the Development Lab ” set protocol IP

set icmptype 106 end

end

 

In the CLI examples, the fields for Show in Service List, Service Type and in the example for IP, Category were net set because the values that they would have been set to were the default values and were already correctly set.

 

Example Scenario: Using FortiGate services to support Audio/Visual Conferencing

The feature, and the transmitting of data for the purpose of, Tele-conferencing or Audi- o/Visual Conferencing is covered by a number of standards:

  • The IETF standard known as the Binary Floor Control Protocol (BFCP).
  • RFC 4582, for SIP-based video devices
  • The ITU standard H.239 (for H.323-based video devices)

While these standards have been set up by various authoritative bodies and can take place on different layers of the OSI model, they share common requirements that are addressed by the FortiGate firewall’s ability to manage the traffic and the protocols involved. This means that the same ability that make the device RFC 4582 compliant makes it compliant with H.239 as well.

To demonstrate how services and service groups are used we show the setup of a firewall that will need to support the connectivity of a video conferencing unit. The FortiGate does not manipulate or change the content of the traffic but it does allow for the traffic to pass through the device. In this case it allow for only the needed traffic to pass through the device so as to allow the functionality of Audio Visual Conference call but not to allow other traffic through.

The theoretical location for this scenario is a hospital that hosts conferences and lectures from doctors from all over the world, sometimes from multiple locations, using video conferencing technology such as a Polycom Video Conference system. There is a special room set up with dedicated Ethernet connectivity to the Internet. A hospital has a lot of sensitive information going over its network so the setup has to be secure to prevent any chance of penetration.

The approach is fairly simple. The conference room has a dedicated port on the FortiGate (port #7) and its own LAN. We will assume that the interface has already been configured properly. Video conference traffic can come from the Internet to the Polycom in that room and traffic can get out to the Internet, but traffic going to other areas of the hospital network have to go through the FortiGate and traffic going from the Video Conference LAN is thoroughly filtered.

To give an idea of how extensive this can be, we will use an extreme case and include just about all of the services that could be commonly used in one of these setups. The protocols listed here may differ from other setups. It will depend on which features are being used and which equipment is within the network. Always check the documentation that comes with the set up before opening ports into your network.

 

VIP

In this particular case there is an IP address set aside for the conferencing system so a separate VIP is not needed for every port. One Virtual IP will be created for the system and then only the approved of protocols will be allows through the firewall.

Name                         Vid-Conf_Room216

External Interface    wan1

External IP Address/Range

Mapped IP Address/Range

256.87.212.51 – 256.87.212.51

192.168.7.25 – 192.168.7.25

Port Forwarding      not selected

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.