Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.0.0
    6.0.0

    Creating services

    Creating services

    Occasionally, the preconfigured list of services will not contain the needed service. There are a few variations in the creation of a service depending upon the protocol type, but the first steps in the creation of the service are common to all the variations.

    To create a new service:

    1. Go to Policy & Objects > Services.
    2. Select Create New. A drop down menu is displayed. Select Service
    3. Enter a name in the Name field for the new service
    4. Include any description you would like in the Comments field
    5. In the Service Type field choose between Firewall and Explicit Proxy.
    6. Enable the toggle in the Show in Service List. If you can't see the service when you need to select it, it serves very little purpose.
    7. For the Category field, choose the appropriate category from the Category drop down menu. If none is chosen, the Uncategorized option will be chosen by default.

    Protocol options

    This is the section where the configuration options of the service will differ depending on the type of protocol chosen. (The Step numbers will all continue on from the common step sequence).

    The protocol options for Firewall service type are:

    • TCP/UDP/SCTP
    • ICMP
    • ICMP6
    • IP

    The protocol options for Proxy service type are:

    • ALL
    • CONNECT
    • FTP
    • HTTP
    • SOCKS-TCP
    • SOCKS-UDP
    TCP/UDP/SCTP
    1. For the Protocol Type field, choose TCP/UDP/SCTP from the drop down menu
    2. For the Address field, choose IP Range or FQDN (Fully Qualified Domain Name) if there is to be a specific destination for the service. Depending on which type of address is selected, the field value needs to be filled with a FQDN string or an IP address in one of the 3 standard IPv4 address formats:
      • x.x.x.x - for a specific address
      • x.x.x.x/x - for a subnet
      • x.x.x.x-x.x.x.x - for a range of specific addresses
    3. Configure the Destination Port by:
      • Select from the drop down menu, TCP, UDP or SCTP
      • Enter the low end to the port range in the field indicated by grayed out Low.
      • Enter the high end of the port range in the field indicated by grayed out High. If there is only a single port in the range High can be left empty
      • Multiple ports or port ranges can be added by using the "+" at the beginning of the row
      • Rows can be removed by using the trash can symbol at the end of the row
    4. If required, you can Specify Source Ports for the service by enabling the toggle switch.
      • The Src Port will match up with a Destination Port
      • Src Ports cannot be configured without there being a value for the Destination Port
      • The same rules for configuring the Destination Ports applies to the Src Ports
    5. Select OK to confirm the configuration
    Example

    Example settings for a TCP protocol service. In this case, it is for an administrative connection to web servers on the DMZ. The protocol used is HTTPS which would normally use port 443, but that is already in use by another service such as Admin access to the firewall or an SSL-VPN connection.

    Field Value
    Name Example.com_WebAdmin
    Comments Admin connection to Example.com Website
    Service Type Firewall
    Show in Service List enabled
    Category Web Access
    Protocol Options
    Protocol Type TCP/UDP/SCTP
    IP/FQDN <left blank>
    Destination Port
    • Protocol: TCP
    • Low: 4300
    • High: <left blank>
    Specify Source Ports <disabled>
    Creating a new TCP/UDP/SCTP service in the CLI

    The following is the creation of the same service using the command line.

    config firewall service custom

    edit Example.com_WebAdmin

    set comment "Admin connection to Example.com Website"

    set category Web Access

    set protocol TCP/UDP/SCTP

    set tcp-portrange 4300

    end

    end

    ICMP / ICMP6
    1. For the Protocol Type field, choose ICMP or ICMP6 from the drop down menu
    2. In the Type field enter the appropriate type number based on the information found in ICMP types and codes or in ICMPv6 types and codes, depending on whether the Protocol Type is ICMP or ICMPv6
    3. In the Code field enter the appropriate code number for the type, if applicable, based on the information found in ICMP types and codes or in ICMPv6 types and codes, depending on whether the Protocol Type is ICMP or ICMPv6
    4. Select OK to confirm the configuration
    Example

    Example settings for an ICMP.service.In this case it has been set up for some special testing of ICMP packets.

    Field Value
    Name ICMP test #4
    Comments For testing of proprietary network scanner
    Service Type Firewall
    Show in Service List enabled
    Category Network Services
    Protocol Options
    Protocol Type ICMP
    Type 7
    Code <left blank>
    Creating a new ICMP service in the CLI

    The following is the creation of the same service using the command line.

    config firewall service custom

    edit ICMP test4

    set comment "For testing of proprietary network scanner"

    set category Network Services

    set protocol ICMP

    set icmptype 7

    end

    end

    IP
    1. For the Protocol Type field, choose IP from the drop down menu
    2. In the Protocol Number field enter the numeric value based on the information found in Protocol number.
    3. Select OK to confirm the configuration
    Example

    Example settings for an IP.service.In this case it has been set up to communicate via an old protocol called QNX

    Field Value
    Name QNX
    Comments For QNX communications to the Development Lab
    Service Type Firewall
    Show in Service List enabled
    Category Uncategorized
    Protocol Options
    Protocol Type IP
    Protocol Number 106
    Creating a new ICMP service in the CLI

    The following is the creation of the same service using the command line.

    config firewall service custom

    edit ICMP test4

    set comment "For QNX communications to the Development Lab "

    set protocol IP

    set icmptype 106

    end

    end

    tooltip icon In the CLI examples, the fields for Show in Service List, Service Type and in the example for IP, Category were net set because the values that they would have been set to were the default values and were already correctly set.
    ALL/CONNECT/FTP/HTTP/SOCKS-TCP/SOCKS-UDP

    These options are available only if the Service Type is set to Explicit Proxy.

    1. For the Protocol Type field, choose one of the following from the drop down menu:
      • ALL
      • CONNECT
      • FTP
      • HTTP
      • SOCKS-TCP
      • SOCKS-UDP
    2. For the Address field, choose IP Range or FQDN (Fully Qualified Domain Name) if there is to be a specific destination for the service. Depending on which type of address is selected, the field value needs to be filled with a FQDN string or an IP address in one of the 3 standard IPv4 address formats:
      • x.x.x.x - for a specific address
      • x.x.x.x/x - for a subnet
      • x.x.x.x-x.x.x.x - for a range of specific addresses
    3. Configure the Destination Port by:
      • Enter the low end to the TCP port range in the field indicated by grayed out Low.
      • Enter the high end of the TCP port range in the field indicated by grayed out High. If there is only a single port in the range High can be left empty
      • Multiple ports or port ranges can be added by using the "+" at the beginning of the row
      • Rows can be removed by using the trash can symbol at the end of the row
    4. If required, you can Specify Source Ports for the service by enabling the toggle switch.
      • The Src Port will match up with a Destination Port
      • Src Ports cannot be configured without there being a value for the Destination Port
      • The same rules for configuring the Destination Ports applies to the Src Ports
    5. Select OK to confirm the configuration
    Previous
    Next

    Creating services

    Creating services

    Occasionally, the preconfigured list of services will not contain the needed service. There are a few variations in the creation of a service depending upon the protocol type, but the first steps in the creation of the service are common to all the variations.

    To create a new service:

    1. Go to Policy & Objects > Services.
    2. Select Create New. A drop down menu is displayed. Select Service
    3. Enter a name in the Name field for the new service
    4. Include any description you would like in the Comments field
    5. In the Service Type field choose between Firewall and Explicit Proxy.
    6. Enable the toggle in the Show in Service List. If you can't see the service when you need to select it, it serves very little purpose.
    7. For the Category field, choose the appropriate category from the Category drop down menu. If none is chosen, the Uncategorized option will be chosen by default.

    Protocol options

    This is the section where the configuration options of the service will differ depending on the type of protocol chosen. (The Step numbers will all continue on from the common step sequence).

    The protocol options for Firewall service type are:

    • TCP/UDP/SCTP
    • ICMP
    • ICMP6
    • IP

    The protocol options for Proxy service type are:

    • ALL
    • CONNECT
    • FTP
    • HTTP
    • SOCKS-TCP
    • SOCKS-UDP
    TCP/UDP/SCTP
    1. For the Protocol Type field, choose TCP/UDP/SCTP from the drop down menu
    2. For the Address field, choose IP Range or FQDN (Fully Qualified Domain Name) if there is to be a specific destination for the service. Depending on which type of address is selected, the field value needs to be filled with a FQDN string or an IP address in one of the 3 standard IPv4 address formats:
      • x.x.x.x - for a specific address
      • x.x.x.x/x - for a subnet
      • x.x.x.x-x.x.x.x - for a range of specific addresses
    3. Configure the Destination Port by:
      • Select from the drop down menu, TCP, UDP or SCTP
      • Enter the low end to the port range in the field indicated by grayed out Low.
      • Enter the high end of the port range in the field indicated by grayed out High. If there is only a single port in the range High can be left empty
      • Multiple ports or port ranges can be added by using the "+" at the beginning of the row
      • Rows can be removed by using the trash can symbol at the end of the row
    4. If required, you can Specify Source Ports for the service by enabling the toggle switch.
      • The Src Port will match up with a Destination Port
      • Src Ports cannot be configured without there being a value for the Destination Port
      • The same rules for configuring the Destination Ports applies to the Src Ports
    5. Select OK to confirm the configuration
    Example

    Example settings for a TCP protocol service. In this case, it is for an administrative connection to web servers on the DMZ. The protocol used is HTTPS which would normally use port 443, but that is already in use by another service such as Admin access to the firewall or an SSL-VPN connection.

    Field Value
    Name Example.com_WebAdmin
    Comments Admin connection to Example.com Website
    Service Type Firewall
    Show in Service List enabled
    Category Web Access
    Protocol Options
    Protocol Type TCP/UDP/SCTP
    IP/FQDN <left blank>
    Destination Port
    • Protocol: TCP
    • Low: 4300
    • High: <left blank>
    Specify Source Ports <disabled>
    Creating a new TCP/UDP/SCTP service in the CLI

    The following is the creation of the same service using the command line.

    config firewall service custom

    edit Example.com_WebAdmin

    set comment "Admin connection to Example.com Website"

    set category Web Access

    set protocol TCP/UDP/SCTP

    set tcp-portrange 4300

    end

    end

    ICMP / ICMP6
    1. For the Protocol Type field, choose ICMP or ICMP6 from the drop down menu
    2. In the Type field enter the appropriate type number based on the information found in ICMP types and codes or in ICMPv6 types and codes, depending on whether the Protocol Type is ICMP or ICMPv6
    3. In the Code field enter the appropriate code number for the type, if applicable, based on the information found in ICMP types and codes or in ICMPv6 types and codes, depending on whether the Protocol Type is ICMP or ICMPv6
    4. Select OK to confirm the configuration
    Example

    Example settings for an ICMP.service.In this case it has been set up for some special testing of ICMP packets.

    Field Value
    Name ICMP test #4
    Comments For testing of proprietary network scanner
    Service Type Firewall
    Show in Service List enabled
    Category Network Services
    Protocol Options
    Protocol Type ICMP
    Type 7
    Code <left blank>
    Creating a new ICMP service in the CLI

    The following is the creation of the same service using the command line.

    config firewall service custom

    edit ICMP test4

    set comment "For testing of proprietary network scanner"

    set category Network Services

    set protocol ICMP

    set icmptype 7

    end

    end

    IP
    1. For the Protocol Type field, choose IP from the drop down menu
    2. In the Protocol Number field enter the numeric value based on the information found in Protocol number.
    3. Select OK to confirm the configuration
    Example

    Example settings for an IP.service.In this case it has been set up to communicate via an old protocol called QNX

    Field Value
    Name QNX
    Comments For QNX communications to the Development Lab
    Service Type Firewall
    Show in Service List enabled
    Category Uncategorized
    Protocol Options
    Protocol Type IP
    Protocol Number 106
    Creating a new ICMP service in the CLI

    The following is the creation of the same service using the command line.

    config firewall service custom

    edit ICMP test4

    set comment "For QNX communications to the Development Lab "

    set protocol IP

    set icmptype 106

    end

    end

    tooltip icon In the CLI examples, the fields for Show in Service List, Service Type and in the example for IP, Category were net set because the values that they would have been set to were the default values and were already correctly set.
    ALL/CONNECT/FTP/HTTP/SOCKS-TCP/SOCKS-UDP

    These options are available only if the Service Type is set to Explicit Proxy.

    1. For the Protocol Type field, choose one of the following from the drop down menu:
      • ALL
      • CONNECT
      • FTP
      • HTTP
      • SOCKS-TCP
      • SOCKS-UDP
    2. For the Address field, choose IP Range or FQDN (Fully Qualified Domain Name) if there is to be a specific destination for the service. Depending on which type of address is selected, the field value needs to be filled with a FQDN string or an IP address in one of the 3 standard IPv4 address formats:
      • x.x.x.x - for a specific address
      • x.x.x.x/x - for a subnet
      • x.x.x.x-x.x.x.x - for a range of specific addresses
    3. Configure the Destination Port by:
      • Enter the low end to the TCP port range in the field indicated by grayed out Low.
      • Enter the high end of the TCP port range in the field indicated by grayed out High. If there is only a single port in the range High can be left empty
      • Multiple ports or port ranges can be added by using the "+" at the beginning of the row
      • Rows can be removed by using the trash can symbol at the end of the row
    4. If required, you can Specify Source Ports for the service by enabling the toggle switch.
      • The Src Port will match up with a Destination Port
      • Src Ports cannot be configured without there being a value for the Destination Port
      • The same rules for configuring the Destination Ports applies to the Src Ports
    5. Select OK to confirm the configuration
    Previous
    Next