firewall service custom (5.4)

This command is used to configure firewall services.

Managing service objects

The configuration of specific service is the most common activity when using the firewall policy command but some commands affect the service objects as a whole.

edit

Used to select which individual service to configure or edit values.

Syntax:

config firewall service custom
  (custom) # edit <service>
  • To get a list of all of the existing address objects, type the command:
    (custom) # edit ?

    If you are creating a new service object, just type the name you wish to used after the edit command. If there are spaces in the name, use quotation marks.

delete

Used to delete an existing service

Syntax:

config firewall service custom
  (custom) # delete <service>

purge

Used to delete all of the existing firewall policies. It deletes all of the values within the table within the VDOM.

Syntax:

config firewall service custom
  (custom) # purge
  • There are no options, parameters or qualifiers. Just use the enter key after entering the command
  • This command has a serious impact. Use cautiously.

rename

Used to change the name of the service object.

config firewall service custom
  (custom) # rename <service_name> to <new_service_name>

Options and settings within a service

explicit-proxy

Enable to configure this service as an explicit web proxy service. The service will be available to explicit proxy firewall policies but not to regular firewall policies.

Syntax

set explicit-proxy {enable | disable}

Default value: disable

category

Assign the service to a service category. These categories are created and managed using the command firewall service.

Syntax

set category <category_name>

Example

config firewall services custom
  (custom) # edit sample_service
    (sample_service) # set category "web services"
    (sample_service) # end

protocol

Select the protocol used by the service. These protocols are available when explicit-proxy is disabled.
If you select TCP/UDP/SCTP you must specify the tcp-portrange, udp-portrange, or sctp-portrange.

Syntax

set protocol {ICMP | ICMP6 | IP | TCP/UDP/SCTP}

Default value: TCP/UDP/SCTP

A different set of protocols are available when explicit-proxy is enabled.

set protocol {ALL | CONNECT | FTP | HTTP | SOCKS‑TCP | SOCKS‑UDP}

Default value: ALL

Example

config firewall service custom
  (custom) # edit sample-service
    (sample-service) # set explicit-proxy enable
    (sample-service) # set protocol FTP
    (sample-service) # end

iprange

Enter an IP address or address range for this service.

Syntax

set iprange <ip_address[‑<ip_address>]>

Default value0.0.0.0

Example

config firewall service custom
  (custom) # edit sample-service
    (sample-service) # set iprange 192.168.0.64-192.168.0.128
    (sample-service) # end

fqdn

Enter a fully-qualified domain name (FQDN) for this service.

Syntax

set fqdn <fqdn_str>

Example

config firewall service custom
  (custom) # edit sample-service
    (sample-service) # set fqdn example.com
    (sample-service) # end

protocol-number (0,4294967295)

For an IP service, enter the IP protocol number. For information on protocol numbers, see http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.

Syntax

set protocol-number <protocol_int>

Default value: 0

Example

config firewall service custom
  (custom) # edit sample-service
    (sample-service) # set protocol-number 6
    (sample-service) # end

icmptype

Enter the ICMP type number. The range for type_int is from 0-255. Find ICMP type and code numbers at http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-types.

Syntax

set icmptype <type_int>

Example

config firewall service custom
  (custom) # edit sample-service
    (sample-service) # set icmptype 8
    (sample-service) # end

icmpcode

Enter the ICMP code number. Find ICMP type and code numbers at http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-types.

Syntax

set icmpcode <code_int>

Example

config firewall service custom
  (custom) # edit sample-service
    (sample-service) # set icmpcode 13
    (sample-service) # end

tcp-portrange

For TCP services, enter the destination and source port ranges.

  • If the destination port range can be any port, enter 0‑65535.
  • If the destination is only a single port, simply enter a single port number for dstportlow_int and no value for dstporthigh_int.
  • If the source port can be any port, no source port need be added.
  • If source port can be any port, no source port need be added.
  • If the source port is only a single port, simply enter a single port number for srcportlow_int and no value for srcporthigh_int.

The total number of TCP, UDP, and SCTP port ranges cannot exceed 16.

Syntax

set tcp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]

Example

config firewall service custom
  (custom) # edit sample-service
    (sample-service) # set tcp-portrange 100-150:1100-1150
    (sample-service) # end

or if multiple ranges, separate the ranges with a space.

config firewall service custom
  (custom) # edit sample-service
    (sample-service) # set tcp-portrange 100-150:1100-1150 2000-2100:4000:4100
    (sample-service) # end

udp-portrange

For UDP services, enter the destination and source port ranges.

  • If the destination port range can be any port, enter 0‑65535.
  • If the destination is only a single port, simply enter a single port number for dstportlow_int and no value for dstporthigh_int.
  • If source port can be any port, no source port need be added.
  • If the source port is only a single port, simply enter a single port number for srcportlow_int and no value for srcporthigh_int.

The total number of TCP, UDP, and SCTP port ranges cannot exceed 16.

Syntax

set udp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]

sctp-portrange

For SCTP services, enter the destination and source port ranges.

  • If the destination port range can be any port, enter 0‑65535.
  • If the destination is only a single port, simply enter a single port number for dstportlow_int and no value for dstporthigh_int.
  • If source port can be any port, no source port need be added.
  • If the source port is only a single port, simply enter a single port number for srcportlow_int and no value for srcporthigh_int.

The total number of TCP, UDP, and SCTP port ranges cannot exceed 16.

Syntax

set sctp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]

tcp-halfclose-timer (0,86400)

Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded. The valid range is from 1 to 86400 seconds.
Enter 0 to use the global setting defined in system global.
This is available when protocol is TCP/UDP/SCTP.

Syntax

set tcp-halfclose-timer <seconds>

Default value: 0

Example:

config firewall service custom
  (custom) # edit sample-service
    (sample-service) # set tcp-halfclose-timer 3600
    (sample-service) # end

tcp-halfopen-timer (0,86400)

Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded. The valid range is from 1 to 86400 seconds.
Enter 0 to use the global setting defined in system global.
This is available when protocol is TCP/UDP/SCTP.

Syntax

set tcp-halfopen-timer <seconds>

Default value: 0

tcp-timewait-timer

Set the length of the TCP TIME-WAIT state in seconds. As described in RFC 793, the “TIME-WAIT state represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request”.

Reducing the time of the TIME-WAIT state means the FortiGate unit can close terminated sessions faster which means more new sessions can be opened before the session limit is reached.
The valid range is 0 to 300 seconds. A value of 0 sets the TCP TIME-WAIT to 0 seconds
Enter 0 to use the global setting defined in system global.
This is available when protocol is TCP/UDP/SCTP.

Syntax

set tcp-timewait-timer <seconds_int>

Default value: 0

Example:

config firewall service custom
  (custom) # edit sample-service
    (sample-service) # set tcp-timewait-timer 60
    (sample-service) # end

udp-idle-timer

Enter the number of seconds before an idle UDP connection times out. The valid range is from 1 to 86400 seconds.
Enter 0 to use the global setting defined in system global.
This is available when protocol is TCP/UDP/SCTP.

Syntax

set udp-idle-timer <seconds>

Default value: 0

session-ttl

Enter the default session timeout in seconds. The valid range is from 300 – 604,800 seconds. Enter 0 to use either the per-policy session-ttl or per-VDOM session-ttl, as applicable.
This is available when protocol is TCP/UDP/SCTP.

Syntax

set session-ttl <seconds>

Default value: 0

Example:

config firewall service custom
  (custom) # edit sample-service
    (sample-service) # set session-ttl 3600
    (sample-service) # end

check-reset-range

Configure ICMP error message verification.

  • disable — The FortiGate unit does not validate ICMP error messages.
  • strict — If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiOS can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. If log-invalid-packet is enabled the FortiGate unit logs that the ICMP packet was dropped. Strict checking also affects how the anti-replay option checks packets.
  • default — Use the global setting defined in system global.

This field is available when protocol is TCP/UDP/SCTP.
This field is not available if explicit-proxy is enabled.

Syntax

set check-reset-range {disable | strict | default}

Default value: default

comment

Field to store descriptive information about the service such as its intended purpose.

Syntax

set comment <string>

color

This setting determines the color of the icon in the GUI. There are 32 defined colors numbered 1 to 32. 0 will set the color to default which is color number 1.

Syntax

set color <integer>

Default value: 0

Example:

config firewall service custom
  edit generic-custom-service
    set color 15
    end

visibility

Enable visibility to include this service in firewall policy service selection.

Syntax

set visibility {enable | disable}

Default value: enable

Share this page:
Facebooktwittergoogle_pluslinkedinmail

Leave a Reply

Be the First to Comment!

avatar
wpDiscuz