Chapter 7 Firewall for FortiOS 5.0 : Building firewall objects and policies : TCP/UDP/SCTP Service
  
TCP/UDP/SCTP Service
To create and configure a TCP/UDP/STCP protocol type service.
You have set up some new web cams at work that send a constant live feed to a security service. Not only do these cameras have a feed that can be sent offsite they can be remotely managed from a browser or an application.
The ports that need to be opened to use all of the features of the web cams are:
Management by browser - TCP on port 8000
Real time video feed - UDP on port 4000
Connection through vendor application - SCTP on port 1600
The IP address of the offsite service is 256.25.56.12 (Not a valid IP address. Used for example only)
One service will be needed for the incoming connections
One service will be needed for the outgoing connections
The IT manager would like the service for the outgoing data stream to be tied to the destination of the Surveillance service site so that service can only be used for that one vendor.
To add the incoming service
Go to Firewall Objects > Service > Services and select Create New > Custom Service.
Fill out the fields with the following information
Name
WebCam_Connection-incoming
Comments
<Input into this field is optional>
Service Type
Firewall
Color
<Changing this value is optional>
Show in Service List
Check in check box
Category
Surveillance
Protocol Type
TCP/UDP/SCTP
IP/FQDN
<Leave blank>
Protocol
Destination Port
Source Port
Low
High
Low
High
TCP
8000
8000
1
65535
SCTP
16000
16000
1
65535
 
The source port range can be left black as the default is 1 to 65635.
Select OK.
Enter the following CLI command:
config firewall service custom
edit WebCam_Connection-incoming
Set protocol TCP/UDP/SCTP
Set tcp-portrange 8000
Set sctp-portrange 16000
Set visibility enable
end
To add the outgoing service
Go to Firewall Objects > Service > Services and select Create New > Custom Service.
Fill out the fields with the following information
Name
WebCam_Connection-outgoing
Comments
<Input into this field is optional>
Service Type
Firewall
Color
<Changing this value is optional>
Show in Service List
Check in check box
Category
Surveillance
Protocol Type
TCP/UDP/SCTP
IP/FQDN
256.25.56.12
Protocol
Destination Port
Source Port
Low
High
Low
High
TCP
4000
4000
1
65535
Select OK.
Enter the following CLI command:
config firewall service custom
edit WebCam_Connection-incoming
Set protocol TCP/UDP/SCTP
Set category Surveillance
Set udp-portrange 4000
Set iprange 256.25.56.12
Set visibility enable
end
To verify that the category was added correctly:
Go to Firewall Objects > Service > Services. Check that the services have been added to the service list and that they are correct.
Enter the following CLI command:
config firewall service custom
edit <the name of the service that you wish to verify>
Show full-configuration
This should bring up all of the details of the service.