firewall service custom
This command is used to configure firewall services.
config firewall service custom edit {name} # Configure custom services. set name {string} Custom service name. size[63] set proxy {enable | disable} Enable/disable web proxy service. set category {string} Service category. size[63] - datasource(s): firewall.service.category.name set protocol {option} Protocol type based on IANA numbers. TCP/UDP/SCTP TCP, UDP and SCTP. ICMP ICMP. ICMP6 ICMP6. IP IP. HTTP HTTP - for web proxy. FTP FTP - for web proxy. CONNECT Connect - for web proxy. SOCKS-TCP Socks TCP - for web proxy. SOCKS-UDP Socks UDP - for web proxy. ALL All - for web proxy. set helper {option} Helper name. auto Automatically select helper based on protocol and port. disable Disable helper. ftp FTP. tftp TFTP. ras RAS. h323 H323. tns TNS. mms MMS. sip SIP. pptp PPTP. rtsp RTSP. dns-udp DNS UDP. dns-tcp DNS TCP. pmap PMAP. rsh RSH. dcerpc DCERPC. mgcp MGCP. gtp-c GTP-C. gtp-u GTP-U. gtp-b GTP-B. set iprange {string} Start and end of the IP range associated with service. set fqdn {string} Fully qualified domain name. size[255] set protocol-number {integer} IP protocol number. range[0-254] set icmptype {integer} ICMP type. range[0-4294967295] set icmpcode {integer} ICMP code. range[0-255] set tcp-portrange {string} Multiple TCP port ranges. set udp-portrange {string} Multiple UDP port ranges. set sctp-portrange {string} Multiple SCTP port ranges. set tcp-halfclose-timer {integer} Wait time to close a TCP session waiting for an unanswered FIN packet (1 - 86400 sec, 0 = default). range[0-86400] set tcp-halfopen-timer {integer} Wait time to close a TCP session waiting for an unanswered open session packet (1 - 86400 sec, 0 = default). range[0-86400] set tcp-timewait-timer {integer} Set the length of the TCP TIME-WAIT state in seconds (1 - 300 sec, 0 = default). range[0-300] set udp-idle-timer {integer} UDP half close timeout (0 - 86400 sec, 0 = default). range[0-86400] set session-ttl {integer} Session TTL (300 - 604800, 0 = default). range[300-604800] set check-reset-range {disable | strict | default} Configure the type of ICMP error message verification. disable Disable RST range check. strict Check RST range strictly. default Using system default setting. set comment {string} Comment. size[255] set color {integer} Color of icon on the GUI. range[0-32] set visibility {enable | disable} Enable/disable the visibility of the service on the GUI. set app-service-type {disable | app-id | app-category} Application service type. disable Disable application type. app-id Application ID. app-category Applicatin category. config app-category edit {id} # Application category ID. set id {integer} Application category id. range[0-4294967295] next config application edit {id} # Application ID. set id {integer} Application id. range[0-4294967295] next next end
Additional information
The following section is for those options that require additional explanation.
Managing service objects
The configuration of specific service is the most common activity when using the firewall policy command but some commands affect the service objects as a whole.
edit
Used to select which individual service to configure or edit values.
Syntax:
config firewall service custom (custom) # edit <service>
- To get a list of all of the existing address objects, type the command:
(custom) # edit ?
edit
command. If there are spaces in the name, use quotation marks.
delete
Used to delete an existing service
Syntax:
config firewall service custom (custom) # delete <service>
purge
Used to delete all of the existing firewall policies. It deletes all of the values within the table within the VDOM.
Syntax:
config firewall service custom (custom) # purge
- There are no options, parameters or qualifiers. Just use the enter key after entering the command
- This command has a serious impact. Use cautiously.
rename
Used to change the name of the service object.
config firewall service custom (custom) # rename <service_name> to <new_service_name>
Options and settings within a service
explicit-proxy
Enable to configure this service as an explicit web proxy service. The service will be available to explicit proxy firewall policies but not to regular firewall policies.
Syntax
set explicit-proxy {enable | disable}
Default value: disable
category
Assign the service to a service category. These categories are created and managed using the command firewall service.
Syntax
set category <category_name>
Example
config firewall services custom (custom) # edit sample_service (sample_service) # set category "web services" (sample_service) # end
protocol
Select the protocol used by the service. These protocols are available when explicit-proxy
is disabled.
If you select TCP/UDP/SCTP
you must specify the tcp-portrange
, udp-portrange
, or sctp-portrange
.
Syntax
set protocol {ICMP | ICMP6 | IP | TCP/UDP/SCTP}
Default value: TCP/UDP/SCTP
A different set of protocols are available when explicit-proxy
is enabled.
set protocol {ALL | CONNECT | FTP | HTTP | SOCKS‑TCP | SOCKS‑UDP}
Default value: ALL
Example
config firewall service custom (custom) # edit sample-service (sample-service) # set explicit-proxy enable (sample-service) # set protocol FTP (sample-service) # end
iprange
Enter an IP address or address range for this service.
Syntax
set iprange <ip_address[‑<ip_address>]>
Default value: 0.0.0.0
Example
config firewall service custom (custom) # edit sample-service (sample-service) # set iprange 192.168.0.64-192.168.0.128 (sample-service) # end
fqdn
Enter a fully-qualified domain name (FQDN) for this service.
Syntax
set fqdn <fqdn_str>
Example
config firewall service custom (custom) # edit sample-service (sample-service) # set fqdn example.com (sample-service) # end
protocol-number (0,4294967295)
For an IP service, enter the IP protocol number. For information on protocol numbers, see http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.
Syntax
set protocol-number <protocol_int>
Default value: 0
Example
config firewall service custom (custom) # edit sample-service (sample-service) # set protocol-number 6 (sample-service) # end
icmptype
Enter the ICMP type number. The range for type_int is from 0-255. Find ICMP type and code numbers at Enter the ICMP type number. The range for type_int is from 0-255. Find ICMP type and code numbers at http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-types.
Syntax
set icmptype <type_int>
Example
config firewall service custom (custom) # edit sample-service (sample-service) # set icmptype 8 (sample-service) # end
icmpcode
Enter the ICMP code number. Find ICMP type and code numbers at http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-types.
Syntax
set icmpcode <code_int>
Example
config firewall service custom (custom) # edit sample-service (sample-service) # set icmpcode 13 (sample-service) # end
tcp-portrange
For TCP services, enter the destination and source port ranges.
- If the destination port range can be any port, enter
0‑65535
. - If the destination is only a single port, simply enter a single port number for
dstportlow_int
and no value fordstporthigh_int
. - If the source port can be any port, no source port need be added.
- If source port can be any port, no source port need be added.
- If the source port is only a single port, simply enter a single port number for
srcportlow_int
and no value forsrcporthigh_int
.
The total number of TCP, UDP, and SCTP port ranges cannot exceed 16.
Syntax
set tcp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]
Example
config firewall service custom (custom) # edit sample-service (sample-service) # set tcp-portrange 100-150:1100-1150 (sample-service) # end
or if multiple ranges, separate the ranges with a space.
config firewall service custom
(custom) # edit sample-service
(sample-service) # set tcp-portrange 100-150:1100-1150 2000-2100:4000:4100
(sample-service) # end
udp-portrange
For UDP services, enter the destination and source port ranges.
- If the destination port range can be any port, enter
0‑65535
. - If the destination is only a single port, simply enter a single port number for
dstportlow_int
and no value fordstporthigh_int
. - If source port can be any port, no source port need be added.
- If the source port is only a single port, simply enter a single port number for
srcportlow_int
and no value forsrcporthigh_int
.
The total number of TCP, UDP, and SCTP port ranges cannot exceed 16.
Syntax
set udp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]
sctp-portrange
For SCTP services, enter the destination and source port ranges.
- If the destination port range can be any port, enter
0‑65535
. - If the destination is only a single port, simply enter a single port number for
dstportlow_int
and no value fordstporthigh_int
. - If source port can be any port, no source port need be added.
- If the source port is only a single port, simply enter a single port number for
srcportlow_int
and no value forsrcporthigh_int
.
The total number of TCP, UDP, and SCTP port ranges cannot exceed 16.
Syntax
set sctp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]
tcp-halfclose-timer (0,86400)
Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded. The valid range is from 1 to 86400 seconds.
Enter 0
to use the global setting defined in system global.
This is available when
protocol
is TCP/UDP/SCTP
.
Syntax
set tcp-halfclose-timer <seconds>
Default value: 0
Example:
config firewall service custom (custom) # edit sample-service (sample-service) # set tcp-halfclose-timer 3600 (sample-service) # end
tcp-halfopen-timer (0,86400)
Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded. The valid range is from 1 to 86400 seconds.
Enter 0
to use the global setting defined in system global
.
This is available when protocol
is TCP/UDP/SCTP
.
Syntax
set tcp-halfopen-timer <seconds>
Default value: 0
tcp-timewait-timer
Set the length of the TCP TIME-WAIT state in seconds. As described in RFC 793, the “TIME-WAIT state represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request”. Reducing the time of the TIME-WAIT state means the FortiGate unit can close terminated sessions faster which means more new sessions can be opened before the session limit is reached. The valid range is 0 to 300 seconds. A value of 0 sets the TCP TIME-WAIT to 0 seconds Enter 0 to use the global setting defined in system global. This is available when protocol is TCP/UDP/SCTP.
Syntax
set tcp-timewait-timer <seconds_int>
Default value: 0
Example:
config firewall service custom (custom) # edit sample-service (sample-service) # set tcp-timewait-timer 60 (sample-service) # end
udp-idle-timer
Enter the number of seconds before an idle UDP connection times out. The valid range is from 1 to 86400 seconds. Enter 0 to use the global setting defined in system global. This is available when protocol is TCP/UDP/SCTP.
Syntax
set udp-idle-timer <seconds>
Default value: 0
session-ttl
Enter the default session timeout in seconds. The valid range is from 300 - 604,800 seconds. Enter 0 to use either the per-policy session-ttl or per-VDOM session-ttl, as applicable. This is available when protocol is TCP/UDP/SCTP.
Syntax
set session-ttl <seconds>
Default value: 0
Example:
config firewall service custom (custom) # edit sample-service (sample-service) # set session-ttl 3600 (sample-service) # end
check-reset-range
Configure ICMP error message verification.
disable
— The FortiGate unit does not validate ICMP error messages.strict
— If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiOS can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. Iflog-invalid-packet
is enabled the FortiGate unit logs that the ICMP packet was dropped. Strict checking also affects how the anti-replay option checks packets.default
— Use the global setting defined in system global.
This field is available when protocol is TCP/UDP/SCTP. This field is not available if explicit-proxy is enabled.
Syntax
set check-reset-range {disable | strict | default}
Default value: default
comment
Field to store descriptive information about the service such as its intended purpose.
Syntax
set comment <string>
color
This setting determines the color of the icon in the GUI. There are 32 defined colors numbered 1 to 32. 0 will set the color to default which is color number 1. This setting determines the color of the icon in the GUI. There are 32 defined colors numbered 1 to 32. 0 will set the color to default which is color number 1.
Syntax
set color <integer>
Default value: 0
Example:
config firewall service custom edit generic-custom-service set color 15 end
visibility
Enable visibility to include this service in firewall policy service selection.
Syntax
set visibility {enable | disable}
Default value: enable