Custom Services Configuration Task List

The following list provides configuration tasks for Custom Services:
Adding Custom Services
Editing Custom Services
Deleting Custom Services
Adding Custom Services Groups
Editing Custom Services Groups
Deleting Custom Services Groups
Topics:
Supported Protocols
Adding Custom Services for Predefined Service Types
Adding Custom IP Type Services
Editing Custom Services
Deleting Custom Services
Adding a Custom Services Group

Supported Protocols

This section provides a list of pre-defined IP protocols for custom services:
ICMP (1)—(Internet Control Message Protocol) A TCP/IP protocol used to send error and control messages.
IGMP (2)—(Internet Group Management Protocol) The protocol that governs the management of multicast groups in a TCP/IP network.
TCP (6)—(Transmission Control Protocol) The TCP part of TCP/IP. TCP is a transport protocol in TCP/IP. TCP ensures that a message is sent accurately and in its entirety.
UDP (17)—(User Datagram Protocol) A protocol within the TCP/IP protocol suite that is used in place of TCP when a reliable delivery is not required.
GRE (47)—(Generic Routing Encapsulation) A tunneling protocol used to encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to firewalls or routing devices over an IP Internetwork.
ESP (50)—(Encapsulated Security Payload) A method of encapsulating an IP datagram inside of another datagram employed as a flexible method of data transportation by IPsec.
AH (51)—(Authentication Header) A security protocol that provides data authentication and optional anti-relay services. AH is embedded in the data to be protected (a full IP datagram).
EIGRP (88)—(Enhanced Interior Gateway Routing Protocol) Advanced version of IGRP. Provides superior convergence properties and operating efficiency, and combines the advantages of link state protocols with those of distance vector protocols.
OSPF (89)—(Open Shortest Path First) A routing protocol that determines the best path for routing IP traffic over a TCP/IP network based on distance between nodes and several quality parameters. OSPF is an interior gateway protocol (IGP), which is designed to work within an autonomous system. It is also a link state protocol that provides less router to router update traffic than the RIP protocol (distance vector protocol) that it was designed to replace.
PIM (103)—(Protocol Independent Multicast) One of two PIM operational modes:
PIM sparse mode (PIM-SM) tries to constrain data distribution so that a minimal number of routers in the network receive it. Packets are sent only if they are explicitly requested at the RP (rendezvous point). In sparse mode, receivers are widely distributed, and the assumption is that downstream networks will not necessarily use the datagrams that are sent to them. The cost of using sparse mode is its reliance on the periodic refreshing of explicit join messages and its need for RPs.
PM dense mode (PIM-DM) assumes all downstream routers and hosts want to receive a multicast datagram from a sender and floods multicast traffic throughout the network. Routers without downstream neighbors prune unwanted traffic. To minimize repeated flooding of datagrams and subsequent pruning, PIM DM uses a state refresh message sent by routers directly connected to the source.
* 
NOTE: The firewall can be configured only as a multicast proxy so multicast traffic can be passed through the up-/downstream interface. The firewall cannot act as a PIM router.
L2TP (115)—(Layer 2 Tunneling Protocol) A protocol that allows a PPP session to run over the Internet. L2TP does not include encryption, but defaults to using IPsec in order to provide virtual private network (VPN) connections from remote users to the corporate LAN.

Adding Custom Services for Predefined Service Types

You can add a custom service for any of the predefined service types:

 

Table 30. Predefined service types

Protocol

IP Number

ICMP

1

TCP

6

UDP

17

GRE

47

IPsec ESP

50

IPsec AH

51

IGMP

2

EIGRP

88

OSPF

89

PIM

103

L2TP

115

All custom services you create are listed in the Custom Services table. You can group custom services by creating a Custom Services Group for easy policy enforcement. If a protocol is not listed in the Default Services table, you can add it to the Custom Service Objects table by clicking Add.

To add custom services to pre-defined service types, perform the following steps:
1
Navigate to the Network > Services page.
2
Click the Add button. The Add Service dialog displays.

3
Enter the name of the service in the Name field.
4
Select the type of IP protocol from the Protocol drop-down menu.
5
What you enter next depends on your IP protocol selection:
For Custom IP Type, specify a custom IP protocol type in the Protocol field.
For TCP and UDP protocols, specify the Port Range.
For ICMP, IGMP, OSPF, and PIM protocols, select a Sub Type from the Sub Type drop-down menu.
* 
NOTE: PIM subtypes apply to both PIM-SM and PIM-DM except the following are for PIM SM only:
Type1: Register
Type2: Register Stop
Type4: Bootstrap
Type8: Candidate RP
For the remaining protocols, you do not need to specify a Port Range or Sub Type.
6
If Enable NDPP Mode was selected on the System > Services page, enter the ICMP code in the Code field.
* 
NOTE: This option displays only if the Enable NDPP Mode was selected.
7
Click OK. The service appears in the Custom Services table.
8
Click the Enable Logging checkbox to disable or enable the logging of the service activities.

Adding Custom IP Type Services

Using only the predefined IP types, if the security appliance encounters traffic of any other IP Protocol type it drops it as unrecognized. However, there exists a large and expanding list of other registered IP types, as governed by IANA (Internet Assigned Numbers Authority): http://www.iana.org/assignments/protocol-numbers, so while the rigid practice of dropping less-common (unrecognized) IP Type traffic is secure, it was functionally restrictive.

SonicOS, with its support for Custom IP Type Service Objects, allows you to construct Service Objects representing any IP type, allowing Firewall Access Rules to then be written to recognize and control IPv4 traffic of any type.

* 
NOTE: The generic service Any will not handle Custom IP Type Service Objects. In other words, simply defining a Custom IP Type Service Object for IP Type 126 will not allow IP Type 126 traffic to pass through the default LAN > WAN Allow rule.

It will be necessary to create an Access Rules specifically containing the Custom IP Type Service Object to provide for its recognition and handling, as illustrated below.

Configuration Example

Assume an administrator needed to allow RSVP (Resource Reservation Protocol - IP Type 46) and SRP (Spectralink™ Radio Protocol – IP type 119) from all clients on the WLAN zone (WLAN Subnets) to a server on the LAN zone (for example, 10.50.165.26), you would be able to define Custom IP Type Service Objects to handle these two services:

1
From the Network > Services page, click on the Go to Service Objects link at the top right of the page to jump to the Services section.
2
Click Add. The Add Service dialog displays.

3
Name the Service with a friendly name.
4
Select Custom IP Type from the Protocol drop-down menu.

5
Enter the protocol number for the Custom IP Type.
* 
NOTE: Port ranges are not definable for or applicable to Custom IP types.

* 
NOTE: Attempts to define a Custom IP Type Service Object for a predefined IP type is not permitted and results in an error message:
6
Click Add.
7
Repeat Step 3 through Step 6 for each custom service to be defined.
8
When finished, click Close. The Network > Services page displays.
9
From the Network > Services page, click on the Go to Service Groups link at the top right of the section to jump to the Service Groups section.
10
In the Service Groups section, click Add Group. The Add Service Group dialog displays.

11
Name the Service Group with a friendly name.
12
Select the Custom IP service you just created from the list of IP Types Services.

13
Click the -> button to move the service to the Custom Service list.
* 
TIP: You can select multiple services, and then click the -> button to move them all at one time
14
When finished, click OK. The Network > Services page displays.
15
Navigate to the Firewall > Access Rules page. WLAN > LAN, select Add.
16
Define an Access Rules allowing myServices from WLAN Subnets to the 10.50.165.26 Address Object.
* 
NOTE: Select your zones, Services and Address Objects accordingly. It may be necessary to create an Access Rule for bidirectional traffic; for example, an additional Access Rule from the LAN > WLAN allowing myServices from 10.50.165.26 to WLAN Subnets.

17
Click OK.

IP protocol 46 and 119 traffic will now be recognized and will be allowed to pass from WLAN Subnets to 10.50.165.26.

Editing Custom Services

Click the Edit icon under Configure to edit the service in the Edit Service dialog, which includes the same configuration settings as the Add Service dialog.

Deleting Custom Services

Click the Delete icon to delete an individual custom service. You can delete all custom services by clicking the Delete button.

Adding a Custom Services Group

You can add custom services and then create groups of services, including default services, to apply the same policies to them. For instance, you can allow SMTP and POP3 traffic only during certain hours or days of the week by adding the two services as a Custom Service Group.

To create a Custom Services Group:
1
On the Network > Services page, click Add Group. The Add Group dialog displays.

2
Enter a name for the custom group in the Name field.
3
Select individual services from the list in the left column. You can also select multiple services by pressing the Ctrl key while clicking on the services.
4
Click - > to add the services to the group.
To remove services from the group, select individual services from the list in right column. You can also select multiple services by pressing the Ctrl key on your keyboard and clicking on the services.
Click < - to remove the services.
5
When you are finished, click OK to add the group to Custom Services Groups.

Clicking the triangle to the left of a Custom Service Group name, expands the display to show all the individual Custom Services, Default Services, and Custom Services Groups included in the Custom Service Group entry.

Editing Custom Services Groups

Click the Edit icon in the Configure column to edit the custom service group in the Edit Service Group dialog, which includes the same configuration settings as the Add Service Group dialog.

You also can edit individual services of a custom service group by expanding the group, and clicking the Edit icon for the service. The Edit Service dialog displays, which is the same as the Add Service dialog.

Deleting Custom Services Groups

Click the Delete icon to delete the individual custom service group entry. You can delete all custom service groups by clicking the Delete icon. You also can delete individual services of a custom service group by expanding the group, and clicking the Delete icon for the service.