firewall : service custom
 
service custom
Use this command to configure firewall services.
Syntax
config firewall service custom
edit <name_str>
set category <category_name>
set check-reset-range {disable | strict | default}
set color <color_int>
set comment <string>
set explicit-proxy {enable | disable}
set fqdn <fqdn_str>
set icmpcode <code_int>
set icmptype <type_int>
set iprange <serv_ip[‑serv_ip]>
set protocol {ICMP | ICMP6 | IP | TCP/UDP/SCTP}
set protocol-number <protocol_int>
set sctp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]
set session-ttl <seconds>
set tcp-halfclose-timer <seconds>
set tcp-halfopen-timer <seconds>
set tcp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]
set tcp-timewait-timer <seconds_int>
set udp-idle-timer <seconds>
set udp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]
set visibility {enable | disable}
end
Variable
Description
Default
<name_str>
Enter the name of this custom service.
No default
category <category_name>
Assign the service to a service category.
Depends on service.
check-reset-range {disable | strict | default}
Configure ICMP error message verification.
disable — The FortiGate unit does not validate ICMP error messages.
strict — If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiOS can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. If “log-invalid-packet {enable | disable}” is enabled the FortiGate unit logs that the ICMP packet was dropped. Strict checking also affects how the anti-replay option checks packets.
default — Use the global setting defined in system global.
This field is available when protocol is TCP/UDP/SCTP.
This field is not available if explicit-proxy is enabled.
default
color <color_int>
Set the icon color to use in the web-based manager.
0 sets the default, color 1.
0
comment <string>
Add comments for the custom service.
No default.
explicit-proxy {enable | disable}
Enable to configure this service as an explicit web proxy service. The service will be available to explicit proxy firewall policies but not to regular firewall policies.
disable
fqdn <fqdn_str>
Enter a fully-qualified domain name (FQDN) for this service.
No default.
icmpcode <code_int>
Enter the ICMP code number. Find ICMP type and code numbers at www.iana.org.
No default.
icmptype <type_int>
Enter the ICMP type number. The range for type_int is from 0-255. Find ICMP type and code numbers at www.iana.org.
0
iprange <serv_ip[‑serv_ip]>
Enter an IP address or address range for this service.
No default.
protocol
{ICMP | ICMP6 | IP | TCP/UDP/SCTP}
Select the protocol used by the service. These protocols are available when explicit-proxy is disabled.
If you select TCP/UDP/SCTP you must specify the tcp-portrange, udp-portrange, or sctp-portrange.
IP
protocol
{ALL | CONNECT | FTP | HTTP | SOCKS‑TCP | SOCKS‑UDP}
Select the protocol used by the service. These protocols are available when explicit-proxy is enabled.
ALL
protocol-number <protocol_int>
For an IP service, enter the IP protocol number. For information on protocol numbers, see http://www.iana.org.
0
sctp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]
For SCTP services, enter the destination and source port ranges.
If the destination port range can be any port, enter 0‑65535. If the destination is only a single port, simply enter a single port number for dstportlow_int and no value for dstporthigh_int.
If source port can be any port, no source port need be added. If the source port is only a single port, simply enter a single port number for srcportlow_int and no value for srcporthigh_int.
The total number of TCP, UDP, and SCTP port ranges cannot exceed 16.
No default.
session-ttl <seconds>
Enter the default session timeout in seconds. The valid range is from 300 - 604 800 seconds. Enter 0 to use either the per-policy session-ttl or per-VDOM session-ttl, as applicable.
This is available when protocol is TCP/UDP/SCTP.
0
tcp-halfclose-timer <seconds>
Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded. The valid range is from 1 to 86400 seconds.
Enter 0 to use the global setting defined in system global.
This is available when protocol is TCP/UDP/SCTP.
0
tcp-halfopen-timer <seconds>
Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded. The valid range is from 1 to 86400 seconds.
Enter 0 to use the global setting defined in system global.
This is available when protocol is TCP/UDP/SCTP.
0
tcp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]
For TCP services, enter the destination and source port ranges.
If the destination port range can be any port, enter 0‑65535. If the destination is only a single port, simply enter a single port number for dstportlow_int and no value for dstporthigh_int.
If source port can be any port, no source port need be added. If the source port is only a single port, simply enter a single port number for srcportlow_int and no value for srcporthigh_int.
The total number of TCP, UDP, and SCTP port ranges cannot exceed 16.
0:0
tcp-timewait-timer <seconds_int>
Set the length of the TCP TIME-WAIT state in seconds. As described in RFC 793, the “TIME-WAIT state represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request”.
Reducing the time of the TIME-WAIT state means the FortiGate unit can close terminated sessions faster which means more new sessions can be opened before the session limit is reached.
The valid range is 0 to 300 seconds. A value of 0 sets the TCP TIME-WAIT to 0 seconds
Enter 0 to use the global setting defined in system global.
This is available when protocol is TCP/UDP/SCTP.
1
udp-idle-timer <seconds>
Enter the number of seconds before an idle UDP connection times out. The valid range is from 1 to 86400 seconds.
Enter 0 to use the global setting defined in system global.
This is available when protocol is TCP/UDP/SCTP.
0
udp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]
For UDP services, enter the destination and source port ranges.
If the destination port range can be any port, enter 0‑65535. If the destination is only a single port, simply enter a single port number for dstportlow_int and no value for dstporthigh_int.
If source port can be any port, no source port need be added. If the source port is only a single port, simply enter a single port number for srcportlow_int and no value for srcporthigh_int.
The total number of TCP, UDP, and SCTP port ranges cannot exceed 16.
No default.
visibility {enable | disable}
Enable visibility to include this service in firewall policy service selection.
enable