Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.0.15 Administration Guide
7.0.15
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Services

Services

Services represent typical traffic types and application packets that pass through the FortiGate. Services include the service protocol type (TCP, UDP, ICMP, and so on), address, category, and logical destination port. Services can then be applied in a firewall policy to represent the TCP/IP suite port numbers that will most commonly be used to transport the named protocols or groups of protocols. Likewise, security profiles use service definitions to match session types.

The following services are available:

Predefined services

Firewall policies can be configured with default, predefined services that have been created for common traffic types. Predefined services can be edited, cloned, and deleted from the Policy & Objects > Services list. Cloning a services allows you to create a copy of the service parameters and edit it to create a similar service while still maintaining the existing service.

To clone a service:

  1. Go to Policy & Objects > Services.

  2. Select the service you want to clone.

  3. Click Clone.

  4. Enter the name of the cloned service.

  5. Click OK.

  6. Find the new service in the services list and edit it as needed.

To edit a service:

  1. Go to Policy & Objects > Services.

  2. Select the service you want to edit.

  3. Click Edit. The Edit Service page is displayed.

  4. Edit the service details as needed.

  5. Click OK.

Custom services

You can create new, customized services in the Policy & Objects > Services page and the CLI. When creating a custom service, the ports, IP addresses, and protocols must be known for proper configuration. Once a service has been created, it must be applied to a firewall policy to take effect.

Note

Custom services can also be created while configuring a new firewall policy.
To configure a custom service in the GUI:

  1. Go to Policy & Objects > Services.

  2. Click Create new > Service.

  3. Configure the service parameters as needed.

  4. Click OK.

Note

Custom services can be configured in the CLI for TCP/UDP/SCTP, ICMP, ICMP6, and IP protocols. Service parameters are dependent on the protocol type. See config firewall service custom in the CLI Reference guide for more information.

The following example demonstrates configuring a custom service with the TCP/UDP/SCTP protocol.
To configure a custom service in the CLI:
config firewall service custom
    edit <name>
        set protocol TCP/UDP/SCTP
        set tcp-portrange <destination port range>
        set udp-portrange <destination port range>
        set sctp-portrange <destination port range>
    next
end

Service groups

Service groups are a collection of services and other service groups, allowing multiple services to be applied in a firewall policy at once.

Note

Service groups can be cloned and edited in the Service Group tab using the same process as services. See Predefined services.
To configure a service group in the GUI:

  1. Go to Policy & Objects > Services.

  2. Click Create new > Service Group. The New Service Group page is displayed.

  3. Enter the Name.

  4. (Optional) Enter a comment and select a color for the service group.

  5. Click the Members field and select the services and service groups to include in the group.

  6. Click OK.

To configure a service group in the CLI:
config firewall service group
    edit <name>
        set fabric-object {enable | disable}
        set member <service name1>, <service name2>
        set proxy {enable | disable}
    next
end
Previous
Next

Services

Services represent typical traffic types and application packets that pass through the FortiGate. Services include the service protocol type (TCP, UDP, ICMP, and so on), address, category, and logical destination port. Services can then be applied in a firewall policy to represent the TCP/IP suite port numbers that will most commonly be used to transport the named protocols or groups of protocols. Likewise, security profiles use service definitions to match session types.

The following services are available:

Predefined services

Firewall policies can be configured with default, predefined services that have been created for common traffic types. Predefined services can be edited, cloned, and deleted from the Policy & Objects > Services list. Cloning a services allows you to create a copy of the service parameters and edit it to create a similar service while still maintaining the existing service.

To clone a service:

  1. Go to Policy & Objects > Services.

  2. Select the service you want to clone.

  3. Click Clone.

  4. Enter the name of the cloned service.

  5. Click OK.

  6. Find the new service in the services list and edit it as needed.

To edit a service:

  1. Go to Policy & Objects > Services.

  2. Select the service you want to edit.

  3. Click Edit. The Edit Service page is displayed.

  4. Edit the service details as needed.

  5. Click OK.

Custom services

You can create new, customized services in the Policy & Objects > Services page and the CLI. When creating a custom service, the ports, IP addresses, and protocols must be known for proper configuration. Once a service has been created, it must be applied to a firewall policy to take effect.

Note

Custom services can also be created while configuring a new firewall policy.
To configure a custom service in the GUI:

  1. Go to Policy & Objects > Services.

  2. Click Create new > Service.

  3. Configure the service parameters as needed.

  4. Click OK.

Note

Custom services can be configured in the CLI for TCP/UDP/SCTP, ICMP, ICMP6, and IP protocols. Service parameters are dependent on the protocol type. See config firewall service custom in the CLI Reference guide for more information.

The following example demonstrates configuring a custom service with the TCP/UDP/SCTP protocol.
To configure a custom service in the CLI:
config firewall service custom
    edit <name>
        set protocol TCP/UDP/SCTP
        set tcp-portrange <destination port range>
        set udp-portrange <destination port range>
        set sctp-portrange <destination port range>
    next
end

Service groups

Service groups are a collection of services and other service groups, allowing multiple services to be applied in a firewall policy at once.

Note

Service groups can be cloned and edited in the Service Group tab using the same process as services. See Predefined services.
To configure a service group in the GUI:

  1. Go to Policy & Objects > Services.

  2. Click Create new > Service Group. The New Service Group page is displayed.

  3. Enter the Name.

  4. (Optional) Enter a comment and select a color for the service group.

  5. Click the Members field and select the services and service groups to include in the group.

  6. Click OK.

To configure a service group in the CLI:
config firewall service group
    edit <name>
        set fabric-object {enable | disable}
        set member <service name1>, <service name2>
        set proxy {enable | disable}
    next
end
Previous
Next