Fortinet black logo

CLI Reference

firewall service custom

firewall service custom

This command is used to configure firewall services.

config firewall service custom
    edit {name}
    # Configure custom services.
        set name {string}   Custom service name. size[63]
        set proxy {enable | disable}   Enable/disable web proxy service.
        set category {string}   Service category. size[63] - datasource(s): firewall.service.category.name
        set protocol {option}   Protocol type based on IANA numbers.
                TCP/UDP/SCTP  TCP, UDP and SCTP.
                ICMP          ICMP.
                ICMP6         ICMP6.
                IP            IP.
                HTTP          HTTP - for web proxy.
                FTP           FTP - for web proxy.
                CONNECT       Connect - for web proxy.
                SOCKS-TCP     Socks TCP - for web proxy.
                SOCKS-UDP     Socks UDP - for web proxy.
                ALL           All - for web proxy.
        set helper {option}   Helper name.
                auto     Automatically select helper based on protocol and port.
                disable  Disable helper.
                ftp      FTP.
                tftp     TFTP.
                ras      RAS.
                h323     H323.
                tns      TNS.
                mms      MMS.
                sip      SIP.
                pptp     PPTP.
                rtsp     RTSP.
                dns-udp  DNS UDP.
                dns-tcp  DNS TCP.
                pmap     PMAP.
                rsh      RSH.
                dcerpc   DCERPC.
                mgcp     MGCP.
                gtp-c    GTP-C.
                gtp-u    GTP-U.
                gtp-b    GTP-B.
        set iprange {string}   Start and end of the IP range associated with service.
        set fqdn {string}   Fully qualified domain name. size[255]
        set protocol-number {integer}   IP protocol number. range[0-254]
        set icmptype {integer}   ICMP type. range[0-4294967295]
        set icmpcode {integer}   ICMP code. range[0-255]
        set tcp-portrange {string}   Multiple TCP port ranges.
        set udp-portrange {string}   Multiple UDP port ranges.
        set sctp-portrange {string}   Multiple SCTP port ranges.
        set tcp-halfclose-timer {integer}   Wait time to close a TCP session waiting for an unanswered FIN packet (1 - 86400 sec, 0 = default). range[0-86400]
        set tcp-halfopen-timer {integer}   Wait time to close a TCP session waiting for an unanswered open session packet (1 - 86400 sec, 0 = default). range[0-86400]
        set tcp-timewait-timer {integer}   Set the length of the TCP TIME-WAIT state in seconds (1 - 300 sec, 0 = default). range[0-300]
        set udp-idle-timer {integer}   UDP half close timeout (0 - 86400 sec, 0 = default). range[0-86400]
        set session-ttl {integer}   Session TTL (300 - 604800, 0 = default). range[300-604800]
        set check-reset-range {disable | strict | default}   Configure the type of ICMP error message verification.
                disable  Disable RST range check.
                strict   Check RST range strictly.
                default  Using system default setting.
        set comment {string}   Comment. size[255]
        set color {integer}   Color of icon on the GUI. range[0-32]
        set visibility {enable | disable}   Enable/disable the visibility of the service on the GUI.
        set app-service-type {disable | app-id | app-category}   Application service type.
                disable       Disable application type.
                app-id        Application ID.
                app-category  Applicatin category.
        config app-category
            edit {id}
            # Application category ID.
                set id {integer}   Application category id. range[0-4294967295]
            next
        config application
            edit {id}
            # Application ID.
                set id {integer}   Application id. range[0-4294967295]
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

Managing service objects

The configuration of specific service is the most common activity when using the firewall policy command but some commands affect the service objects as a whole.

edit

Used to select which individual service to configure or edit values.

Syntax:
config firewall service custom
(custom) # edit <service>
  • To get a list of all of the existing address objects, type the command:
    (custom) # edit ?

    If you are creating a new service object, just type the name you wish to used after the edit command. If there are spaces in the name, use quotation marks.

delete

Used to delete an existing service

Syntax:
config firewall service custom
(custom) # delete <service>

purge

Used to delete all of the existing firewall policies. It deletes all of the values within the table within the VDOM.

Syntax:
config firewall service custom
(custom) # purge
  • There are no options, parameters or qualifiers. Just use the enter key after entering the command
  • This command has a serious impact. Use cautiously.

rename

Used to change the name of the service object.

config firewall service custom
(custom) # rename <service_name> to <new_service_name>

Options and settings within a service

explicit-proxy

Enable to configure this service as an explicit web proxy service. The service will be available to explicit proxy firewall policies but not to regular firewall policies.

Syntax
set explicit-proxy {enable | disable}

Default value: disable

category

Assign the service to a service category. These categories are created and managed using the command firewall service.

Syntax
set category <category_name>
Example
config firewall services custom
	(custom) # edit sample_service
	(sample_service) # set category "web services"
(sample_service) # end

protocol

Select the protocol used by the service. These protocols are available when explicit-proxy is disabled. If you select TCP/UDP/SCTP you must specify the tcp-portrange, udp-portrange, or sctp-portrange.

Syntax
set protocol {ICMP | ICMP6 | IP | TCP/UDP/SCTP}

Default value: TCP/UDP/SCTP A different set of protocols are available when explicit-proxy is enabled.

set protocol {ALL | CONNECT | FTP | HTTP | SOCKS‑TCP | SOCKS‑UDP}

Default value: ALL

Example
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set explicit-proxy enable
	(sample-service) # set protocol FTP
(sample-service) # end

iprange

Enter an IP address or address range for this service.

Syntax
set iprange <ip_address[‑<ip_address>]>

Default value: 0.0.0.0

Example
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set iprange 192.168.0.64-192.168.0.128
(sample-service) # end

fqdn

Enter a fully-qualified domain name (FQDN) for this service.

Syntax
set fqdn <fqdn_str>
Example
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set fqdn example.com
(sample-service) # end

protocol-number (0,4294967295)

For an IP service, enter the IP protocol number. For information on protocol numbers, see http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.

Syntax
set protocol-number <protocol_int>

Default value: 0

Example
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set protocol-number 6
(sample-service) # end

icmptype

Enter the ICMP type number. The range for type_int is from 0-255. Find ICMP type and code numbers at Enter the ICMP type number. The range for type_int is from 0-255. Find ICMP type and code numbers at http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-types.

Syntax
set icmptype <type_int>
Example
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set icmptype 8
(sample-service) # end

icmpcode

Enter the ICMP code number. Find ICMP type and code numbers at http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-types.

Syntax
set icmpcode <code_int>
Example
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set icmpcode 13
(sample-service) # end

tcp-portrange

For TCP services, enter the destination and source port ranges.

  • If the destination port range can be any port, enter 0‑65535.
  • If the destination is only a single port, simply enter a single port number for dstportlow_int and no value for dstporthigh_int.
  • If the source port can be any port, no source port need be added.
  • If source port can be any port, no source port need be added.
  • If the source port is only a single port, simply enter a single port number for srcportlow_int and no value for srcporthigh_int.

The total number of TCP, UDP, and SCTP port ranges cannot exceed 16.

Syntax
set tcp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]
Example
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set tcp-portrange 100-150:1100-1150
(sample-service) # end

or if multiple ranges, separate the ranges with a space.

config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set tcp-portrange 100-150:1100-1150 2000-2100:4000:4100
		  (sample-service) # end

udp-portrange

For UDP services, enter the destination and source port ranges.

  • If the destination port range can be any port, enter 0‑65535.
  • If the destination is only a single port, simply enter a single port number for dstportlow_int and no value for dstporthigh_int.
  • If source port can be any port, no source port need be added.
  • If the source port is only a single port, simply enter a single port number for srcportlow_int and no value for srcporthigh_int.

The total number of TCP, UDP, and SCTP port ranges cannot exceed 16.

Syntax
set udp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]

sctp-portrange

For SCTP services, enter the destination and source port ranges.

  • If the destination port range can be any port, enter 0‑65535.
  • If the destination is only a single port, simply enter a single port number for dstportlow_int and no value for dstporthigh_int.
  • If source port can be any port, no source port need be added.
  • If the source port is only a single port, simply enter a single port number for srcportlow_int and no value for srcporthigh_int.

The total number of TCP, UDP, and SCTP port ranges cannot exceed 16.

Syntax
set sctp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]

tcp-halfclose-timer (0,86400)

Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded. The valid range is from 1 to 86400 seconds. Enter 0 to use the global setting defined in system global. This is available when protocol is TCP/UDP/SCTP.

Syntax
set tcp-halfclose-timer <seconds>

Default value: 0

Example:
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set tcp-halfclose-timer 3600
(sample-service) # end

tcp-halfopen-timer (0,86400)

Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded. The valid range is from 1 to 86400 seconds. Enter 0 to use the global setting defined in system global. This is available when protocol is TCP/UDP/SCTP.

Syntax
set tcp-halfopen-timer <seconds>

Default value: 0

tcp-timewait-timer

Set the length of the TCP TIME-WAIT state in seconds. As described in RFC 793, the “TIME-WAIT state represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request”. Reducing the time of the TIME-WAIT state means the FortiGate unit can close terminated sessions faster which means more new sessions can be opened before the session limit is reached. The valid range is 0 to 300 seconds. A value of 0 sets the TCP TIME-WAIT to 0 seconds Enter 0 to use the global setting defined in system global. This is available when protocol is TCP/UDP/SCTP.

Syntax
set tcp-timewait-timer <seconds_int>

Default value: 0

Example:
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set tcp-timewait-timer 60
(sample-service) # end

udp-idle-timer

Enter the number of seconds before an idle UDP connection times out. The valid range is from 1 to 86400 seconds. Enter 0 to use the global setting defined in system global. This is available when protocol is TCP/UDP/SCTP.

Syntax
set udp-idle-timer <seconds>

Default value: 0

session-ttl

Enter the default session timeout in seconds. The valid range is from 300 - 604,800 seconds. Enter 0 to use either the per-policy session-ttl or per-VDOM session-ttl, as applicable. This is available when protocol is TCP/UDP/SCTP.

Syntax
set session-ttl <seconds>

Default value: 0

Example:
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set session-ttl 3600
(sample-service) # end

check-reset-range

Configure ICMP error message verification.

  • disable — The FortiGate unit does not validate ICMP error messages.
  • strict — If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiOS can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. If log-invalid-packet is enabled the FortiGate unit logs that the ICMP packet was dropped. Strict checking also affects how the anti-replay option checks packets.
  • default — Use the global setting defined in system global.

This field is available when protocol is TCP/UDP/SCTP. This field is not available if explicit-proxy is enabled.

Syntax
set check-reset-range {disable | strict | default}

Default value: default

comment

Field to store descriptive information about the service such as its intended purpose.

Syntax
set comment <string>

color

This setting determines the color of the icon in the GUI. There are 32 defined colors numbered 1 to 32. 0 will set the color to default which is color number 1. This setting determines the color of the icon in the GUI. There are 32 defined colors numbered 1 to 32. 0 will set the color to default which is color number 1.

Syntax
set color <integer>

Default value: 0

Example:
config firewall service custom
	edit generic-custom-service
	set color 15
end

visibility

Enable visibility to include this service in firewall policy service selection.

Syntax
set visibility {enable | disable}

Default value: enable

firewall service custom

This command is used to configure firewall services.

config firewall service custom
    edit {name}
    # Configure custom services.
        set name {string}   Custom service name. size[63]
        set proxy {enable | disable}   Enable/disable web proxy service.
        set category {string}   Service category. size[63] - datasource(s): firewall.service.category.name
        set protocol {option}   Protocol type based on IANA numbers.
                TCP/UDP/SCTP  TCP, UDP and SCTP.
                ICMP          ICMP.
                ICMP6         ICMP6.
                IP            IP.
                HTTP          HTTP - for web proxy.
                FTP           FTP - for web proxy.
                CONNECT       Connect - for web proxy.
                SOCKS-TCP     Socks TCP - for web proxy.
                SOCKS-UDP     Socks UDP - for web proxy.
                ALL           All - for web proxy.
        set helper {option}   Helper name.
                auto     Automatically select helper based on protocol and port.
                disable  Disable helper.
                ftp      FTP.
                tftp     TFTP.
                ras      RAS.
                h323     H323.
                tns      TNS.
                mms      MMS.
                sip      SIP.
                pptp     PPTP.
                rtsp     RTSP.
                dns-udp  DNS UDP.
                dns-tcp  DNS TCP.
                pmap     PMAP.
                rsh      RSH.
                dcerpc   DCERPC.
                mgcp     MGCP.
                gtp-c    GTP-C.
                gtp-u    GTP-U.
                gtp-b    GTP-B.
        set iprange {string}   Start and end of the IP range associated with service.
        set fqdn {string}   Fully qualified domain name. size[255]
        set protocol-number {integer}   IP protocol number. range[0-254]
        set icmptype {integer}   ICMP type. range[0-4294967295]
        set icmpcode {integer}   ICMP code. range[0-255]
        set tcp-portrange {string}   Multiple TCP port ranges.
        set udp-portrange {string}   Multiple UDP port ranges.
        set sctp-portrange {string}   Multiple SCTP port ranges.
        set tcp-halfclose-timer {integer}   Wait time to close a TCP session waiting for an unanswered FIN packet (1 - 86400 sec, 0 = default). range[0-86400]
        set tcp-halfopen-timer {integer}   Wait time to close a TCP session waiting for an unanswered open session packet (1 - 86400 sec, 0 = default). range[0-86400]
        set tcp-timewait-timer {integer}   Set the length of the TCP TIME-WAIT state in seconds (1 - 300 sec, 0 = default). range[0-300]
        set udp-idle-timer {integer}   UDP half close timeout (0 - 86400 sec, 0 = default). range[0-86400]
        set session-ttl {integer}   Session TTL (300 - 604800, 0 = default). range[300-604800]
        set check-reset-range {disable | strict | default}   Configure the type of ICMP error message verification.
                disable  Disable RST range check.
                strict   Check RST range strictly.
                default  Using system default setting.
        set comment {string}   Comment. size[255]
        set color {integer}   Color of icon on the GUI. range[0-32]
        set visibility {enable | disable}   Enable/disable the visibility of the service on the GUI.
        set app-service-type {disable | app-id | app-category}   Application service type.
                disable       Disable application type.
                app-id        Application ID.
                app-category  Applicatin category.
        config app-category
            edit {id}
            # Application category ID.
                set id {integer}   Application category id. range[0-4294967295]
            next
        config application
            edit {id}
            # Application ID.
                set id {integer}   Application id. range[0-4294967295]
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

Managing service objects

The configuration of specific service is the most common activity when using the firewall policy command but some commands affect the service objects as a whole.

edit

Used to select which individual service to configure or edit values.

Syntax:
config firewall service custom
(custom) # edit <service>
  • To get a list of all of the existing address objects, type the command:
    (custom) # edit ?

    If you are creating a new service object, just type the name you wish to used after the edit command. If there are spaces in the name, use quotation marks.

delete

Used to delete an existing service

Syntax:
config firewall service custom
(custom) # delete <service>

purge

Used to delete all of the existing firewall policies. It deletes all of the values within the table within the VDOM.

Syntax:
config firewall service custom
(custom) # purge
  • There are no options, parameters or qualifiers. Just use the enter key after entering the command
  • This command has a serious impact. Use cautiously.

rename

Used to change the name of the service object.

config firewall service custom
(custom) # rename <service_name> to <new_service_name>

Options and settings within a service

explicit-proxy

Enable to configure this service as an explicit web proxy service. The service will be available to explicit proxy firewall policies but not to regular firewall policies.

Syntax
set explicit-proxy {enable | disable}

Default value: disable

category

Assign the service to a service category. These categories are created and managed using the command firewall service.

Syntax
set category <category_name>
Example
config firewall services custom
	(custom) # edit sample_service
	(sample_service) # set category "web services"
(sample_service) # end

protocol

Select the protocol used by the service. These protocols are available when explicit-proxy is disabled. If you select TCP/UDP/SCTP you must specify the tcp-portrange, udp-portrange, or sctp-portrange.

Syntax
set protocol {ICMP | ICMP6 | IP | TCP/UDP/SCTP}

Default value: TCP/UDP/SCTP A different set of protocols are available when explicit-proxy is enabled.

set protocol {ALL | CONNECT | FTP | HTTP | SOCKS‑TCP | SOCKS‑UDP}

Default value: ALL

Example
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set explicit-proxy enable
	(sample-service) # set protocol FTP
(sample-service) # end

iprange

Enter an IP address or address range for this service.

Syntax
set iprange <ip_address[‑<ip_address>]>

Default value: 0.0.0.0

Example
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set iprange 192.168.0.64-192.168.0.128
(sample-service) # end

fqdn

Enter a fully-qualified domain name (FQDN) for this service.

Syntax
set fqdn <fqdn_str>
Example
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set fqdn example.com
(sample-service) # end

protocol-number (0,4294967295)

For an IP service, enter the IP protocol number. For information on protocol numbers, see http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.

Syntax
set protocol-number <protocol_int>

Default value: 0

Example
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set protocol-number 6
(sample-service) # end

icmptype

Enter the ICMP type number. The range for type_int is from 0-255. Find ICMP type and code numbers at Enter the ICMP type number. The range for type_int is from 0-255. Find ICMP type and code numbers at http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-types.

Syntax
set icmptype <type_int>
Example
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set icmptype 8
(sample-service) # end

icmpcode

Enter the ICMP code number. Find ICMP type and code numbers at http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-types.

Syntax
set icmpcode <code_int>
Example
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set icmpcode 13
(sample-service) # end

tcp-portrange

For TCP services, enter the destination and source port ranges.

  • If the destination port range can be any port, enter 0‑65535.
  • If the destination is only a single port, simply enter a single port number for dstportlow_int and no value for dstporthigh_int.
  • If the source port can be any port, no source port need be added.
  • If source port can be any port, no source port need be added.
  • If the source port is only a single port, simply enter a single port number for srcportlow_int and no value for srcporthigh_int.

The total number of TCP, UDP, and SCTP port ranges cannot exceed 16.

Syntax
set tcp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]
Example
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set tcp-portrange 100-150:1100-1150
(sample-service) # end

or if multiple ranges, separate the ranges with a space.

config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set tcp-portrange 100-150:1100-1150 2000-2100:4000:4100
		  (sample-service) # end

udp-portrange

For UDP services, enter the destination and source port ranges.

  • If the destination port range can be any port, enter 0‑65535.
  • If the destination is only a single port, simply enter a single port number for dstportlow_int and no value for dstporthigh_int.
  • If source port can be any port, no source port need be added.
  • If the source port is only a single port, simply enter a single port number for srcportlow_int and no value for srcporthigh_int.

The total number of TCP, UDP, and SCTP port ranges cannot exceed 16.

Syntax
set udp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]

sctp-portrange

For SCTP services, enter the destination and source port ranges.

  • If the destination port range can be any port, enter 0‑65535.
  • If the destination is only a single port, simply enter a single port number for dstportlow_int and no value for dstporthigh_int.
  • If source port can be any port, no source port need be added.
  • If the source port is only a single port, simply enter a single port number for srcportlow_int and no value for srcporthigh_int.

The total number of TCP, UDP, and SCTP port ranges cannot exceed 16.

Syntax
set sctp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]

tcp-halfclose-timer (0,86400)

Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded. The valid range is from 1 to 86400 seconds. Enter 0 to use the global setting defined in system global. This is available when protocol is TCP/UDP/SCTP.

Syntax
set tcp-halfclose-timer <seconds>

Default value: 0

Example:
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set tcp-halfclose-timer 3600
(sample-service) # end

tcp-halfopen-timer (0,86400)

Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded. The valid range is from 1 to 86400 seconds. Enter 0 to use the global setting defined in system global. This is available when protocol is TCP/UDP/SCTP.

Syntax
set tcp-halfopen-timer <seconds>

Default value: 0

tcp-timewait-timer

Set the length of the TCP TIME-WAIT state in seconds. As described in RFC 793, the “TIME-WAIT state represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request”. Reducing the time of the TIME-WAIT state means the FortiGate unit can close terminated sessions faster which means more new sessions can be opened before the session limit is reached. The valid range is 0 to 300 seconds. A value of 0 sets the TCP TIME-WAIT to 0 seconds Enter 0 to use the global setting defined in system global. This is available when protocol is TCP/UDP/SCTP.

Syntax
set tcp-timewait-timer <seconds_int>

Default value: 0

Example:
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set tcp-timewait-timer 60
(sample-service) # end

udp-idle-timer

Enter the number of seconds before an idle UDP connection times out. The valid range is from 1 to 86400 seconds. Enter 0 to use the global setting defined in system global. This is available when protocol is TCP/UDP/SCTP.

Syntax
set udp-idle-timer <seconds>

Default value: 0

session-ttl

Enter the default session timeout in seconds. The valid range is from 300 - 604,800 seconds. Enter 0 to use either the per-policy session-ttl or per-VDOM session-ttl, as applicable. This is available when protocol is TCP/UDP/SCTP.

Syntax
set session-ttl <seconds>

Default value: 0

Example:
config firewall service custom
	(custom) # edit sample-service
	(sample-service) # set session-ttl 3600
(sample-service) # end

check-reset-range

Configure ICMP error message verification.

  • disable — The FortiGate unit does not validate ICMP error messages.
  • strict — If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiOS can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. If log-invalid-packet is enabled the FortiGate unit logs that the ICMP packet was dropped. Strict checking also affects how the anti-replay option checks packets.
  • default — Use the global setting defined in system global.

This field is available when protocol is TCP/UDP/SCTP. This field is not available if explicit-proxy is enabled.

Syntax
set check-reset-range {disable | strict | default}

Default value: default

comment

Field to store descriptive information about the service such as its intended purpose.

Syntax
set comment <string>

color

This setting determines the color of the icon in the GUI. There are 32 defined colors numbered 1 to 32. 0 will set the color to default which is color number 1. This setting determines the color of the icon in the GUI. There are 32 defined colors numbered 1 to 32. 0 will set the color to default which is color number 1.

Syntax
set color <integer>

Default value: 0

Example:
config firewall service custom
	edit generic-custom-service
	set color 15
end

visibility

Enable visibility to include this service in firewall policy service selection.

Syntax
set visibility {enable | disable}

Default value: enable