Services

Services

While there are a number of services already configured within FortiOS, the firmware allows for administrators to configure there own. The reasons for doing this usually fall into one or more of the following categories:

  • The service is not common enough to have a standard configuration l The service is not established enough to have a standard configuration l The service has a standard port number but there is a reason to use a different one:
  • Port is already in use by another service l For security reasons, want to avoid standard port

When looking at the list of preconfigured services it may seem like there are a lot, but keep in mind that the theoretical limit for port numbers is 65,535. This gives a fairly good sized range when you are choosing what port to assign a service but there are a few points to keep in mind.

  • Most of the well known ports are in the range 0 – 1023 l Most ports assigned by the Internet Corporation for Assigned Names and Numbers (ICANN) will be in the 1024 –

49151 range l Port numbers between 49,152 and 65,535 are often used for dynamic, private or ephemeral ports.

There are 3 Service objects that can be added and configured:

l Categories l Services l Service Groups

Categories

In order to make sorting through the services easier, there is a field to categorize the services. Because selecting a category is part of the process for creating a new service, the configuration of categories will be explained first.

The services can be sorted into the following groups:

  • General l Web Access l File Access l Email l Network Services l Authentication l Remote Access l Tunneling l VoIP, Messaging and Other Applications l Web Proxy
  • Uncategorized

The categories are for organization purposes so there is not many settings when creating a new one.

Creating a new Service Category

  1. Go to Policy & Objects > Services.
  2. Select Create New. A drop down menu is displayed. Select Category
  3. Input a Name for the category.
  4. Input any additional information in the Comments
  5. Press OK.

Example

You plan on adding a number of devices such as web cameras that will allow the monitoring of the physical security of your datacenter. A number of non-standard services will have to be created and you would like to keep them grouped together under the heading of “Surveillance”

Example of a New Category in the GUI

  1. Go to Policy & Objects > Objects > Services and select Create New > Category.
  2. Fill out the fields with the following information
Field   Value
Name   Surveillance
Comments   For DataCenter Surveillance Devices
  1. Select

Example of a New Category in the CLI

Enter the following CLI command:

config firewall service category edit Surveillance set comment “For DataCenter Surveillance Devices” end

To verify that the category was added correctly:

  1. Go to Policy & Objects > Objects > Services. Select the Category Settings icon . A listing of the categories should be displayed.
  2. Enter the following CLI command:

config firewall service category show

This should bring up all of the categories. Check to see that the new one is displayed.

Configuring a new service

Occasionally, the preconfigured list of services will not contain the needed service. There are a few variations in the creation of a service depending upon the protocol type, but the first steps in the creation of the service are common to all the variations.

To create a new service:

  1. Go to Policy & Objects > Services.
  2. Select Create New. A drop down menu is displayed. Select Service
  3. Enter a name in the Name field for the new service
  4. Include any description you would like in the Comments field
  5. In the Service Type field choose between Firewall and Explicit Proxy.
  6. Enable the toggle in the Show in Service List. If you can’t see the service when you need to select it, it serves very little purpose.
  7. For the Category field, choose the appropriate category from the Category drop down menu. If none is chosen, the Uncategorized option will be chosen by default.

Protocol Options

This is the section where the configuration options of the service will differ depending on the type of protocol chosen. (The Step numbers will all continue on from the common step sequence).

The protocol options for Firewall service type are: l TCP/UDP/SCTP l ICMP l ICMP6 l IP

The protocol options for Proxy service type are: l ALL l CONNECT l FTP l HTTP l SOCKS-TCP l SOCKS-UDP

TCP/UDP/SCTP

  1. For the Protocol Type field, choose TCP/UDP/SCTP from the drop down menu
  2. For the Address field, choose IP Range or FQDN (Fully Qualified Domain Name) if there is to be a specific destination for the service. Depending on which type of address is selected, the field value needs to be filled with a FQDN string or an IP address in one of the 3 standard IPv4 address formats: l x.x.x – for a specific address l x.x.x.x/x – for a subnet l x.x.x.x-x.x.x.x – for a range of specific addresses
  3. Configure the Destination Port by:
  • Select from the drop down menu, TCP, UDP or SCTP l Enter the low end to the port range in the field indicated by grayed out Low.
  • Enter the high end of the port range in the field indicated by grayed out High. If there is only a single port in the

range High can be left empty

  • Multiple ports or port ranges can be added by using the “+” at the beginning of the row l Rows can be removed by using the trash can symbol at the end of the row
  1. If required, you can Specify Source Ports for the service by enabling the toggle switch. l The Src Port will match up with a Destination Port l Src Ports cannot be configured without there being a value for the Destination Port l The same rules for configuring the Destination Ports applies to the Src Ports
  2. Select OK to confirm the configuration

Example

Example settings for a TCP protocol service. In this case, it is for an administrative connection to web servers on the DMZ. The protocol used is HTTPS which would normally use port 443, but that is already in use by another service such as Admin access to the firewall or an SSL-VPN connection.

Field Value
Name Example.com_WebAdmin
Comments Admin connection to Example.com Website
Service Type Firewall
Show in Service List enabled
Category Web Access
Protocol Options  
Protocol Type TCP/UDP/SCTP
IP/FQDN <left blank>
Destination Port l  Protocol: TCP l Low: 4300

l  High: <left blank>

Specify Source Ports <disabled>

Creating a new TCP/UDP/SCTP service in the CLI

The following is the creation of the same service using the command line.

config firewall service custom edit Example.com_WebAdmin set comment “Admin connection to Example.com Website”

set category Web Access set protocol TCP/UDP/SCTP set tcp-portrange 4300

end

end

ICMP / ICMP6

  1. For the Protocol Type field, choose ICMP or ICMP6 from the drop down menu
  2. In the Type field enter the appropriate type number based on the information found in “ICMP Types and Codes” on page 1 or in “ICMPv6 Types and Codes” on page 1, depending on whether the Protocol Type is ICMP or ICMPv6
  3. In the Code field enter the appropriate code number for the type, if applicable, based on the information found in

“ICMP Types and Codes” on page 1 or in “ICMPv6 Types and Codes” on page 1, depending on whether the Protocol Type is ICMP or ICMPv6

  1. Select OK to confirm the configuration

Example

Example settings for an ICMP.service.In this case it has been set up for some special testing of ICMP packets.

Field Value
Name ICMP test #4
Comments For testing of proprietary network scanner
Service Type Firewall
Show in Service List enabled
Category Network Services
Protocol Options  
Protocol Type ICMP
Type 7
Code <left blank>

Creating a new ICMP service in the CLI

The following is the creation of the same service using the command line.

config firewall service custom edit ICMP test4 set comment “For testing of proprietary network scanner” set category Network Services set protocol ICMP set icmptype 7 end

end

IP

  1. For the Protocol Type field, choose IP from the drop down menu
  2. In the Protocol Number field enter the numeric value based on the information found in “Protocol Number” on page 1
  3. Select OK to confirm the configuration

Example

Example settings for an IP.service.In this case it has been set up to communicate via an old protocol called QNX

Field Value
Name QNX
Comments For QNX communications to the Development Lab
Service Type Firewall
Show in Service List enabled
Category Uncatagorized
Protocol Options  
Protocol Type IP
Protocol Number 106

Creating a new ICMP service in the CLI

The following is the creation of the same service using the command line.

config firewall service custom edit ICMP test4 set comment “For QNX communications to the Development Lab ” set protocol IP set icmptype 106

end

end

In the CLI examples, the fields for Show in Service List, Service Type and in the example for IP, Category were net set because the values that they would have been set to were the default values and were already correctly set.

ALL/CONNECT/FTP/HTTP/SOCKS-TCP/SOCKS-UDP

These options are available only if the Service Type is set to Explicit Proxy.

  1. For the Protocol Type field, choose one of the following from the drop down menu:
    • ALL l CONNECT l FTP l HTTP l SOCKS-TCP l SOCKS-UDP
  2. For the Address field, choose IP Range or FQDN (Fully Qualified Domain Name) if there is to be a specific destination for the service. Depending on which type of address is selected, the field value needs to be filled with a FQDN string or an IP address in one of the 3 standard IPv4 address formats: l x.x.x – for a specific address l x.x.x.x/x – for a subnet l x.x.x.x-x.x.x.x – for a range of specific addresses
  3. Configure the Destination Port by:
    • Enter the low end to the TCP port range in the field indicated by grayed out Low.
    • Enter the high end of the TCP port range in the field indicated by grayed out High. If there is only a single port in the range High can be left empty
    • Multiple ports or port ranges can be added by using the “+” at the beginning of the row l Rows can be removed by using the trash can symbol at the end of the row
  4. If required, you can Specify Source Ports for the service by enabling the toggle switch. l The Src Port will match up with a Destination Port l Src Ports cannot be configured without there being a value for the Destination Port l The same rules for configuring the Destination Ports applies to the Src Ports
  5. Select OK to confirm the configuration

Specific Addresses in TCP/UDP/SCTP

In the TCP/UDP/SCTP services it is also possible to set the parameter for a specific IP or Fully Qualified Domain Name address. The IP/FQDN field refers to the destination address of the traffic, not the source. This means for example, that you can set up a custom service that will describe in a policy the TCP traffic over port 80 going to the web site example.com, but you cannot set up a service that describes the TCP traffic over port 80 that is coming from the computer with the address 192.168.29.59.

Service Groups

Just like some of the other firewall components, services can also be bundled into groups for ease of administration.

Creating a ServiceGroup

  1. Go to Policy & Objects > Services.
  2. Select Create New. A drop down menu is displayed. Select Service Group
  3. Input a Group Name to describe the services being grouped

 

  1. Input any additional information in the Comments
  2. Choose a Type of group.The options are Firewall or Explicit Proxy.
  3. Add to the list of Members from the drop down menu. Using the + sign beside the field will allow the addition of multiple services.
  4. Press OK.

Example

Example of a New Service Group:

Field Value
Group Name Authentication Services
Comments Services used in Authentication
Type Firewall
Members l Kerberos l LDAP l LDAP_UDP l RADIUS

Firewall schedules

Firewall schedules control when policies are in effect. When you add a security policy on a FortiGate unit you need to set a schedule to determine the time frame in which that the policy will be functioning. While it is not set by default, the normal schedule would be always. This would mean that the policy that has been created is always function and always policing the traffic going through the FortiGate. The time component of the schedule is based on a 24 hour clock notation or military time as some people would say.

There are two types of schedules: One-time schedules and recurring schedules.

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.