Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Andy_G
Staff
Staff

Created on ‎04-08-2009 01:00 AM Edited on ‎02-05-2024 02:33 AM By Moderator

Article Id 192672

Configuring a 'Custom Service' in FortiOS

Description
In Fortinet terminology, a Custom Service is a user defined service that has not already been created.  A service can be thought of as a Traffic type and will include the service protocol type, TCP, UDP or ICMP for example, as well as the logical destination ports.

This article describes the steps required in configuring FortiOS 4.0 with a new 'custom' service.  This includes the destination port as well as the transport layer protocol used (TCP, UDP). 

In this example the new service will be called 'My Service' and use port 1234.


Scope
Applies to FortiGate in NAT mode or Transparent mode.
Solution

To create a custom service using the web based manager

  1. From the navigation panel select Firewall > Service > Custom.

  2. Select Create New. 

  3. Enter a name for the service and select a Protocol Type. For this example, TCP/UDP is selected.

    sotoole_100114_100114-new_my_service.jpg

  4. Select TCP or UDP from Protocol.

  5. Leave source port as 1-65535. This is a very common mistake.

  6. Enter the destination port as the ports for the service.

  7. Select OK.

  8. With the custom service now created, the option to use this service in a policy now exists.

sotoole_100114_100114-custom_service_in_policy.jpg

Note that in FortiOS a custom service can be created while being in the process of creating a new policy.  This is done using the 'create new' option while selecting a service as part of this policy.  See below.

sotoole_100114_100114-policy_custom_service.jpg

 

Testing

Pass the traffic through the FortiGate unit and check the session table from the status page. Note that in some cases, if the custom service is not properly configured or applied to a Firewall Policy, the corresponding traffic might be blocked or matching a wrong Firewall Policy. Hence the procedures that follow.

FortiOS 4.0
Go to System > Status > Top Sessions, select Details beside session count. Setup a filter based on the port.
Make sure the Policy matches the correct firewall policy.  It will be useful to make sure this traffic hits the correct policy by ID.  See the related articles on how this is done.

 

To create a custom service using the CLI, enter the following commands

config firewall service custom
    edit <name>
        set protocol TCP/UDP
        set tcp-portrange <destination port range>
        set udp-portrange <destination port range>
    next
end

For example:

    edit <name>
        set protocol TCP/UDP
        set tcp-portrange <1-65535>
        set udp-portrange <1-65535>
    next
end

Activation

Once the service is created, you need to apply it to a firewall policy to take effect.

 

 

Remi : for Testing , note that if customer service is not properly configured traffic will not pass, or pass in a wrong firewall policy

 

13882
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.