Firewall_serviceObjView

Network > Services

SonicOS Enhanced supports an expanded IP protocol support to allow users to create services and access rules based on these protocols. See Supported Protocols for a complete listing of support IP protocols.

Services are used by the SonicWALL security appliance to configure network access rules for allowing or denying traffic to the network. The SonicWALL security appliance includes Default Services . Default Services are predefined services that are not editable. And you can also create Custom Services to configure firewall services to meet your specific business requirements.

Selecting All Services from View Style displays both Custom Services and Default Services .

Default Services Overview

The Default Services view displays the SonicWALL security appliance default services in the Services table and Service Groups table. The Service Groups table displays clusters of multiple default services as a single service object. You cannot delete or edit these predefined services. The Services table displays the following attributes of the services:

 
Name —The name of the service.
 
Protocol —The protocol of the service.
 
Port Start —The starting port number for the service.
 
Port End —The ending port number for the service.
 
Configure —Displays the unavailable Edit and Delete icon (default services cannot be edited or deleted, you will need to add a new service for the Edit and Delete icons to become available).

Services that apply to common applications are grouped as Default Service Groups . These groups cannot be changed or deleted. Clicking on the + to the left of the Default Service Groups entry, displays all the individual Default Services included in the group. For example, the DNS (Name Service ) entry has two services labelled DNS (Name Service ) TCP for port 53 and DNS (Name Service ) UDP for port 53. These multiple entries with the same name are grouped together, and are treated as a single service. Default Services Groups cannot be edited or deleted.

Custom Services Configuration Task List

The following list provides configuration tasks for Custom Services:

 
Adding Custom Services
 
Editing Custom Services
 
Deleting Custom Services
 
Adding Custom Services Groups
 
Editing Custom Services Groups
 
Deleting Custom Services Groups

Supported Protocols

The following IP protocols are available for custom services:

 
ICMP (1 )—(Internet Control Message Protocol) A TCP/IP protocol used to send error and control messages.
 
IGMP (2 )—(Internet Group Management Protocol) The protocol that governs the management of multicast groups in a TCP/IP network.
 
TCP (6 )—(Transmission Control Protocol) The TCP part of TCP/IP. TCP is a transport protocol in TCP/IP. TCP ensures that a message is sent accurately and in its entirety.
 
UDP (17 )—(User Datagram Protocol) A protocol within the TCP/IP protocol suite that is used in place of TCP when a reliable delivery is not required.
 
GRE (47 )—(Generic Routing Encapsulation) A tunneling protocol used to encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to firewalls or routing devices over an IP Internetwork.
 
ESP (50 )—(Encapsulated Security Payload) A method of encapsulating an IP datagram inside of another datagram employed as a flexible method of data transportation by IPsec.
 
AH (51 )—(Authentication Header) A security protocol that provides data authentication and optional anti-relay services. AH is embedded in the data to be protected (a full IP datagram).
 
EIGRP (88 )—(Enhanced Interior Gateway Routing Protocol) Advanced version of IGRP. Provides superior convergence properties and operating efficiency, and combines the advantages of link state protocols with those of distance vector protocols.
 
OSPF (89 )—(Open Shortest Path First) A routing protocol that determines the best path for routing IP traffic over a TCP/IP network based on distance between nodes and several quality parameters. OSPF is an interior gateway protocol (IGP), which is designed to work within an autonomous system. It is also a link state protocol that provides less router to router update traffic than the RIP protocol (distance vector protocol) that it was designed to replace.
 
PIMSM (103 )—(Protocol Independent Multicast Sparse Mode) One of two PIM operational modes (dense and sparse). PIM sparse mode tries to constrain data distribution so that a minimal number of routers in the network receive it. Packets are sent only if they are explicitly requested at the RP (rendezvous point). In sparse mode, receivers are widely distributed, and the assumption is that downstream networks will not necessarily use the datagrams that are sent to them. The cost of using sparse mode is its reliance on the periodic refreshing of explicit join messages and its need for RPs.
 
L2TP (115 )—(Layer 2 Tunneling Protocol) A protocol that allows a PPP session to run over the Internet. L2TP does not include encryption, but defaults to using IPsec in order to provide virtual private network (VPN) connections from remote users to the corporate LAN.

Adding Custom Services for Predefined Service Types

You can add a custom service for any of the predefined service types:

 

Protocol

IP Number

ICMP

1

TCP

6

UDP

17

GRE

47

IPsec ESP

50

IPsec AH

51

IGMP

2

EIGRP

88

OSPF

89

PIM SM

103

L2TP

115

All custom services you create are listed in the Custom Services table. You can group custom services by creating a Custom Services Group for easy policy enforcement. If a protocol is not listed in the Default Services table, you can add it to the Custom Services table by clicking Add .

Step 1
Enter the name of the service in the Name field.
Step 2
Select the type of IP protocol from the Protocol pull-down menu.
Step 3
Enter the Port Range or IP protocol Sub Type depending on your IP protocol selection:
 
For TCP and UDP protocols, specify the Port Range. You will not need to specify a Sub Type.
 
On SonicWALL NSA series appliances, for ICMP, IGMP, OSPF and PIMSM protocols, select from the Sub Type pull-down menu for sub types.
 
For the remaining protocols, you will not need to specify a Port Range or Sub Type.
Step 4
Click OK . The service appears in the Custom Services table.

Click the Enable Logging checkbox to disable or enable the logging of the service activities.

Adding Custom IP Type Services

Using only the predefined IP types, if the security appliance encounters traffic of any other IP Protocol type it drops it as unrecognized . However, there exists a large and expanding list of other registered IP types, as governed by IANA (Internet Assigned Numbers Authority): http://www.iana.org/assignments/protocol-numbers , so while the rigid practice of dropping less-common (unrecognized) IP Type traffic is secure, it was functionally restrictive.

SonicOS Enhanced 3.5 and newer, with its support for Custom IP Type Service Objects, allows an administrator to construct Service Objects representing any IP type, allowing Firewall Access Rules to then be written to recognize and control IPv4 traffic of any type.

 
Note
The generic service Any will not handle Custom IP Type Service Objects. In other words, simply defining a Custom IP Type Service Object for IP Type 126 will not allow IP Type 126 traffic to pass through the default LAN > WAN Allow rule.

It will be necessary to create an Access Rules specifically containing the Custom IP Type Service Object to provide for its recognition and handling, as illustrated below.

Example

Assume an administrator needed to allow RSVP (Resource Reservation Protocol - IP Type 46) and SRP (Spectralink™ Radio Protocol – IP type 119) from all clients on the WLAN zone (WLAN Subnets) to a server on the LAN zone (for example, 10.50.165.26), the administrator would be able to define Custom IP Type Service Objects to handle these two services:

Step 1
From the Network > Services page, Click on the Go to Service Objects link at the top right of page to jump to the Services section.
Step 2
Click Add .
Step 3
Name the Service Objects accordingly.
Step 4
Select Custom IP Type from the Protocol drop-down list.
Step 5
Enter the protocol number for the Custom IP Type . Port ranges are not definable for or applicable to Custom IP types .
 
Note
Attempts to define a Custom IP Type Service Object for a predefined IP type will not be permitted, and will result in an error message.
Step 6
Click OK
Step 7
From the Network > Services page, Service Group section, select Add Group .
Step 8
Add a Service Group composed of the Custom IP Types Services.
Step 9
From Firewall > Access Rules > WLAN > LAN , select Add .
Step 10
Define an Access Rules allowing myServices from WLAN Subnets to the 10.50.165.26 Address Object.
 
Note
Select your zones, Services and Address Objects accordingly. It may be necessary to create an Access Rule for bidirectional traffic; for example, an additional Access Rule from the LAN > WLAN allowing myServices from 10.50.165.26 to WLAN Subnets.
Step 11
Click OK

IP protocol 46 and 119 traffic will now be recognized, and will be allowed to pass from WLAN Subnets to 10.50.165.26 .

Editing Custom Services

Click the Edit icon under Configure to edit the service in the Edit Service window, which includes the same configuration settings as the Add Service window.

Deleting Custom Services

Click the Delete icon to delete an individual custom service. You can delete all custom services by clicking the Delete button.

Adding a Custom Services Group

You can add custom services and then create groups of services, including default services, to apply the same policies to them. For instance, you can allow SMTP and POP3 traffic only during certain hours or days of the week by adding the two services as a Custom Service Group. To create a Custom Services Group , click Add Group .

Step 1
Enter a name for the custom group in the name field.
Step 2
Select individual services from the list in the left column. You can also select multiple services by pressing the Ctrl key and clicking on the services.
Step 3
Click - > to add the services to the group.
Step 4
To remove services from the group, select individual services from the list in right column. You can also select multiple services by pressing the Ctrl key on your keyboard and clicking on the services.
Step 5
Click < - to remove the services.
Step 6
When you are finished, click OK to add the group to Custom Services Groups .

Clicking + on the left of a Custom Service Group name, expands the display to show all the individual Custom Services, Default Services, and Custom Services Groups included in the Custom Service Group entry.

Editing Custom Services Groups

Click the Edit icon under Configure to edit the custom service group in the Edit Service Group window, which includes the same configuration settings as the Add Service Group window.

Deleting Custom Services Groups

Click the Delete icon to delete the individual custom service group entry. You can delete all custom service groups by clicking the Delete button.