Services
Services represent typical traffic types and application packets that pass through the FortiGate. Services include the service protocol type (TCP, UDP, ICMP, and so on), address, category, and logical destination port. Services can then be applied in a firewall policy to represent the TCP/IP suite port numbers that will most commonly be used to transport the named protocols or groups of protocols. Likewise, security profiles use service definitions to match session types.
The following services are available:
Predefined services
Firewall policies can be configured with default, predefined services that have been created for common traffic types. Predefined services can be edited, cloned, and deleted from the Policy & Objects > Services list. Cloning a services allows you to create a copy of the service parameters and edit it to create a similar service while still maintaining the existing service.
To clone a service:
-
Go to Policy & Objects > Services.
-
Select the service you want to clone.
-
Click Clone.
-
Enter the name of the cloned service.
-
Click OK.
-
Find the new service in the services list and edit it as needed.
To edit a service:
-
Go to Policy & Objects > Services.
-
Select the service you want to edit.
-
Click Edit. The Edit Service page is displayed.
-
Edit the service details as needed.
-
Click OK.
Custom services
You can create new, customized services in the Policy & Objects > Services page and the CLI. When creating a custom service, the ports, IP addresses, and protocols must be known for proper configuration. Once a service has been created, it must be applied to a firewall policy to take effect.
Custom services can also be created while configuring a new firewall policy. |
To configure a custom service in the GUI:
-
Go to Policy & Objects > Services.
-
Click Create new > Service.
-
Configure the service parameters as needed.
-
Click OK.
Custom services can be configured in the CLI for The following example demonstrates configuring a custom service with the |
To configure a custom service in the CLI:
config firewall service custom edit <name> set protocol TCP/UDP/SCTP set tcp-portrange <destination port range> set udp-portrange <destination port range> set sctp-portrange <destination port range> next end
Service groups
Service groups are a collection of services and other service groups, allowing multiple services to be applied in a firewall policy at once.
Service groups can be cloned and edited in the Service Group tab using the same process as services. See Predefined services. |
To configure a service group in the GUI:
-
Go to Policy & Objects > Services.
-
Click Create new > Service Group. The New Service Group page is displayed.
-
Enter the Name.
-
(Optional) Enter a comment and select a color for the service group.
-
Click the Members field and select the services and service groups to include in the group.
-
Click OK.
To configure a service group in the CLI:
config firewall service group edit <name> set fabric-object {enable | disable} set member <service name1>, <service name2> set proxy {enable | disable} next end