FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home

Video

FortiGuard

Fuse

KB

Support

  • All Files

Home > Online Help

> Chapter 9 - Firewall > Firewall objects > Services and TCP ports

Services and TCP ports

There are a number of different services and protocols in use on the Internet. The most commonly known is HTTP which is used by web servers to transmit requests and responses for unencrypted web pages. These services are set up to listen for requests on a numbered port. These services and protocols can use any port from 1 to 65,535. To keep things simple for everyone a large number of the more commonly used services started using a standardized list of ports. For instance, though it is not required, by default, most web servers listen for HTTP requests on port 80 and by default, web browsers will send HTTP traffic to port 80. If you wish to use another port such as 8080 you would put “:8080” at the end of the URL to indicate that you want the browser to use 8080 instead of the default port.

Example

Default URL for HTTP traffic when the web server is listening on the standard HTTP port:

http://fortinet.com

URL to the same address when the web server is listening for HTTP traffic on port 8080

http://fortinet.com:8080

Services represent typical traffic types and application packets that pass through the FortiGate unit. Firewall services define one or more protocols and port numbers associated with each service. Security policies use service definitions to match session types. You can organize related services into service groups to simplify your security policy list.

Many well-known traffic types have been predefined on the FortiGate unit. If there is a service that does not appear on the list you can create a service or edit an existing one. You need to know the ports, IP addresses or protocols of that particular service or application uses, to create a service.

Best Practices

While you can edit a predefined service it is best to leave those ones alone and create a new service and name it something similar such as the same service name with a descriptive identifier appended.

Based on the previous example, instead of the name “HTTP” you could name the service “HTTP8080” or use the application that is using that port, “HTTP-Application”.

Categories

In order to make sorting through the services easier there is a field to categorize the services. The services can be sorted into the following groups:

  • Uncategorized
  • General
  • Web Access
  • File Access
  • Email
  • Network Services
  • Authentication
  • Remote Access
  • Tunnelling
  • VoIP, Messaging and Other Applications
  • Web Proxy

To create a new category, use the downward pointing arrow next to Create New in the Services window and choose Category. All that will be required is a name for the new category. A comments describing the new category is optional.

Protocol types

One of the fundamental aspects of a service is the type of protocol that use used to define it. When a service is defined one of the following categories of protocol needs to be determined:

  • TCP/UDP/SCTP
  • ICMP
  • ICMP6
  • IP

Depending on which of these protocol categories is choose another set of specifications will can also be defined.

TCP/UDP/SCTP

This is the most commonly used service protocol category. Once this category has been selected the other available options to choose are an address, either IP or FQDN, and the protocol and port number.

The protocol will be TCP, UDP or SCTP.

ICMP or ICMP6

When ICMP or ICMP6 is chosen the available options are the ICMP Type and its code.

IP

When IP is the chosen protocol type the addition option is the Protocol Number.

TCP

Transmission Control Protocol (TCP) is one of the core or fundamental protocols of the Internet. It is part of the Transport Layer of the OSI Model. It is designed to provide reliable delivery of data from a program on one device on the network or Internet to another program on another device on the network or Internet. TCP achieves its reliability because it is a connection based protocol. TCP is stream-oriented. It transports streams of data reliably and in order.

TCP establishes a prior connection link between the hosts before sending data. This is often referred to as the handshake. Once the link is established the protocol uses checks to verify that the data transmitted. If an error check fails the data is retransmitted. This makes sure that the data is getting to the destination error free and in the correct order so that it can be put back together into a form that is identical to the way they were sent.

TCP is configured more for reliability than for speed and because of this TCP will likely be slower than a connectionless protocol such as UDP. This is why TCP is generally not used for real time applications such as voice communication or online gaming.

Some of the applications that use TCP are:

  • World Wide Web (HTTP and HTTPS)
  • Email (SMTP, POP3, IMAP4)
  • Remote administration (RDP)
  • File transfer (FTP)

UDP

User Datagram Protocol (UDP) like TCP is one of the core protocols of the Internet and part of the Transport Layer of the OSI Model. UDP is designed more for speed than reliability and is generally used for different applications than TCP. UDP sends messages, referred to as datagrams across the network or Internet to other hosts without establishing a prior communication link. In other words, there is no handshake.

UDP is an unreliable service as the datagrams can arrive out of order, duplicated or go missing without any mechanism to verify them. UDP works on the assumption that any error checking is done by the application or is not necessary for the function of the application. This way it avoids the overhead that is required to verify the integrity of the data.

This lack of overhead improves the speed of the data transfer and is why UDP is often used by applications that are time sensitive in nature. UDP's stateless nature is also great for applications that answer a large number of small queries from a large number of clients.

Common uses for UDP are:

  • Domain Name Resolution (DNS)
  • Time (NTP)
  • Streaming media (RTSP, RTP and RTCP)
  • Telephone of the Internet (VoIP)
  • File Transfer (TFTP)
  • Logging (SNMP)
  • Online games (GTP and OGP)

SCTP

Stream Control Transmission Protocol (SCTP) is part of the Transport Layer of the OSI Model just like TCP and UDP and provides some of the features of both of those protocols. It is message or datagram orientated like UDP but it also ensures reliable sequential transport of data with congestion control like TCP.

SCTP provides the following services:

  • Acknowledged error-free non-duplicated transfer of user data
  • Data fragmentation to conform to discovered path MTU size
  • Sequenced delivery of user messages within multiple streams, with an option for order-of-arrival delivery of individual user messages
  • Optional bundling of multiple user messages into a single SCTP packet
  • Network-level fault tolerance through supporting of multi-homing at either or both ends of an association
  • Congestion avoidance behavior and resistance to flooding and masquerade attacks

SCTP uses multi-streaming to transport its messages which means that there can be several independent streams of messages traveling in parallel between the points of the transmission. The data is sent out in larger chunks of data than is used by TCP just like UDP but the messages include a sequence number within each message in the same way that TCP does so that the data can be reassembled at the other end of the transmission in the correct sequence without the data having to arrive in the correct sequence.

SCTP is effective as the transport protocol for applications that require monitoring and session-loss detection. For such applications, the SCTP path and session failure detection mechanisms actively monitor the connectivity of the session. SCTP differs from TCP in having multi-homing capabilities at either or both ends and several streams within a connection, typically referred to as an association. A TCP stream represents a sequence of bytes; an SCTP stream represents a sequence of messages.

Some common applications of SCTP include supporting transmission of the following protocols over IP networks:

  • SCTP is important in 3G and 4G/LTE networks (for example, HomeNodeB = FemtoCells)
  • SS7 over IP (for example, for 3G mobile networks)
  • SCTP is also defined and used for SIP over SCTP and H.248 over SCTP
  • Transport of Public Switched Telephone Network (PSTN) signaling messages over IP networks.

SCTP is a much newer protocol. It was defined by the IETF Signaling Transport (SIGTRAN) working group in 2000. It was introduced by RFC 3286 and more fully define by RFC 4960.

The FortiGate firewall can apply security policies to SCTP sessions in the same way as TCP and UDP sessions. You can create security policies that accept or deny SCTP traffic by setting the service to “ALL”. FortiOS does not include pre-defined SCTP services. To configure security policies for traffic with specific SCTP source or destination ports you must create custom firewall services for SCTP.

FortiGate units route SCTP traffic in the same way as TCP and UDP traffic. You can configure policy routes specifically for routing SCTP traffic by setting the protocol number to 132. SCTP policy routes can route SCTP traffic according to the destination port of the traffic if you add a port range to the policy route.

You can configure a FortiGate unit to perform stateful inspection of different types of SCTP traffic by creating custom SCTP services and defining the port numbers or port ranges used by those services. FortiGate units support SCTP over IPv4. The FortiGate unit performs the following checks on SCTP packets:

  • Source and Destination Port and Verification Tag.
  • Chunk Type, Chunk Flags and Chunk Length
  • Verify that association exists
  • Sequence of Chunk Types (INIT, INIT ACK, etc)
  • Timer checking
  • Four way handshake checking
  • Heartbeat mechanism
  • Protection against INIT/ACK flood DoS attacks, and long-INIT flooding
  • Protection against association hijacking

FortiOS also supports SCTP sessions over IPsec VPN tunnels, as well as full traffic and event logging for SCTP sessions.

Specific addresses in TCP/UDP/SCTP

In the TCP/UDP/SCTP services it is also possible to set the parameter for a specific IP or Fully Qualified Domain Name address. The IP/FQDN field refers to the destination address of the traffic, not the source. This means for example, that you can set up a custom service that will describe in a policy the TCP traffic over port 80 going to the web site example.com, but you cannot set up a service that describes the TCP traffic over port 80 that is coming from the computer with the address 192.168.29.59.

Protocol port values

The source and destination ports for TCP/UDP/SCTP services are important to get correct. If they are reversed the service will not work. The destination port(s) are the on ones that refer to the ports that the computer will be listening on. These are the port numbers that most people are familiar with when they associate a port number to a protocol. In most cases the source port will be one that is randomly assigned by the computer that is not being already used by another service.

Most people associate HTTP with port 80. This means that a web-server will be listening on port 80 for any http requests being sent to the computer. The computer that is sending the request can use any port that is not already assigned to another service or communication session. There are 65,535 ports that it can randomly assign, but because the ports from 1 to 1024 are normally used for listening for incoming communications it is usually not in that range. It is unless there is a specific instance when you know that a communication will be coming from a predefined source port it is best practice to set the source port range from 1 to 65,535.

ICMP

The Internet Control Message Protocol (ICMP) is a protocol layered onto the Internet Protocol Suite to provide error reporting flow control and first-hop gateway redirection. It is normally used by the operating systems of networked computers to send connectivity status query, response and error messages. It is assigned protocol number 1. There is a version of the protocol for both IPv4 and for IPv6. It is not designed to be absolutely reliable like TCP.

ICMP is not typically used for transporting data or for end-user network applications with the exception of some diagnostic utilities such as ping and traceroute.

ICMP messages are sent in several situations, for example:

  • when a datagram cannot reach its destination,
  • time exceeded messages
  • redirect messages
  • when the gateway does not have the buffering capacity to forward a datagram
  • when the gateway can direct the host to send traffic on a shorter route.

Some of the specific ICMP message types are:

  • ICMP_ECHO
  • ICMP_TIMESTAMP
  • ICMP_INFO_REQUEST
  • ICMP_ADDRESS

For ICMP error messages, only those reporting an error for an existing session can pass through the firewall. The security policy will allow traffic to be routed, forwarded or denied. If allowed, the ICMP packets will start a new session. Only ICMP error messages of a corresponding security policy is available will be sent back to the source. Otherwise, the packet is dropped. That is, only ICMP packets for a corresponding security policy can traverse the FortiGate unit.

ICMP types and codes

ICMP has a number of messages that are identified by the “Type” field. Some of these types have assigned “Code” fields as well. The table below shows the different types of ICMP Types with their associated codes if there are any.

 
ICMP types and codes
Type Number Type Name Optional Code(s)
0 Echo Reply    
1 Unassigned
2 Unassigned
3 Destination Unreachable 0 Net Unreachable

1 Host Unreachable

2 Protocol Unreachable

3 Port Unreachable

4 Fragmentation Needed and Don't Fragment was Set

5 Source Route Failed

6 Destination Network Unknown

7 Destination Host Unknown

8 Source Host Isolated

9 Communication with Destination Network is Administratively Prohibited

10 Communication with Destination Host is Administratively Prohibited

11 Destination Network Unreachable for Type of Service

12 Destination Host Unreachable for Type of Service

13 Communication Administratively Prohibited

14 Host Precedence Violation

15 Precedence cutoff in effect
4 Source Quench  
5 Redirect 0 Redirect Datagram for the Network (or subnet)

1 Redirect Datagram for the Host

2 Redirect Datagram for the Type of Service and Network

3 Redirect Datagram for the Type of Service and Host
6 Alternate Host Address  
7 Unassigned  
8 Echo  
9 Router Advertisement  
10 Router Selection
11 Time Exceeded 0 Time to Live exceeded in Transit

1 Fragment Reassembly Time Exceeded
12 Parameter Problem 0 Pointer indicates the error

1 Missing a Required Option

2 Bad Length
13 Timestamp  
14 Timestand Reply  
15 Information Request  
16 Information Reply  
17 Address Mask Request  
18 Address Mask Reply  
19 Reserved (for Security)  
20 - 29 Reserved (for Robustness Experiment)  
30 Traceroute  
31 Datagram Conversion Error  
32 Mobile Host Redirect  
33 IPv6 Where-Are-You  
34 IPv6 I-Am-Here  
35 Mobile Registration  
36 Mobile Registration Reply  
37 Domain Name Request  
38 Domain Name Reply  
39 SKIP  
40 Photuris  
41 - 255 Reserved  
log-invalid-packet

The log-invalid-packet CLI setting is one that is intended to log invalid ICMP packets. The exact definition being:

If the ForitGate unit receives an ICMP error packet that contains an embedded IP(A,B)|TCP (C,D) header, then if FortiOS can loacate the A:C -> B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped.

When this field is enabled, the FortiGate also log messages that are not ICMP error packets.

Types of logs covered by log-invalid-packet
  • Invalid ICMP
  • If ICMP error message verification (see "check-reset-range") is enabled
  • Invalid DNS packets
  • DNS packets that contain requests for non-existing domains
  • iprope check failed
  • reverse path check fail
  • denied and broadcast traffic
  • no session matched

Some other examples of messages that are not errors that will be logged, based on RFC792:

Type 3 messages correspond to "Destination Unreachable Message"

  • Type 3, Code 1 = host unreachable
  • Type 3, Code 3 = port unreachable

Type 11 messages correspond to "Time Exceeded Message"

  • Type 11, Code 0 = time to live exceeded in transit

ICMPv6

Internet Control Message Protocol version 6 (ICMPv6) is the new implementation of the Internet Control Message Protocol (ICMP) that is part of Internet Protocol version 6 (IPv6). The ICMPv6 protocol is defined in RFC 4443.

ICMPv6 is a multipurpose protocol. It performs such things as:

  • error reporting in packet processing
  • diagnostic functions
  • Neighbor Discovery process
  • IPv6 multicast membership reporting

It also designed as a framework to use extensions for use with future implementations and changes.

Examples of extensions that have already been written for ICMPv6:

  • Neighbor Discovery Protocol (NDP) - a node discovery protocol in IPv6 which replaces and enhances functions of ARP.
  • Secure Neighbor Discovery Protocol (SEND) - an extension of NDP with extra security.
  • Multicast Router Discovery (MRD) - allows discovery of multicast routers.

ICMPv6 messages use IPv6 packets for transportation and can include IPv6 extension headers. ICMPv6 includes some of the functionality that in IPv4 was distributed among protocols such as ICMPv4, ARP (Address Resolution Protocol), and IGMP (Internet Group Membership Protocol version 3).

ICMPv6 has simplified the communication process by eliminating obsolete messages.

ICMPv6 messages are subdivided into two classes: error messages and information messages.

Error Messages are divided into four categories:

  1. Destination Unreachable
  2. Time Exceeded
  3. Packet Too Big
  4. Parameter Problems

Information messages are divided into three groups:

  1. Diagnostic messages
  2. Neighbor Discovery messages
  3. Messages for the management of multicast groups.

ICMPv6 types and codes

ICMPv6 has a number of messages that are identified by the “Type” field. Some of these types have assigned “Code” fields as well. The table below shows the different types of ICMP Types with their associated codes if there are any.

Type codes 0 − 127 are error messages and type codes 128 − 255 are for information messages.

ICMPv6 Types and Codes

Type Number Type Name Code
0 Reserved 0 - no route to destination

1 - communication with destination administratively prohibited

2 - beyond scope of source address

3 - address unreachable

4 - port unreachable

5 - source address failed ingress/egress policy

6 - reject route to destination

7 - Error in Source Routing Header
1 Destination Unreachable  
2 Packet Too Big  
3 Time Exceeded 0 - hop limit exceeded in transit

1 - fragment reassembly time exceeded
4 Parameter Problem 0 - erroneous header field encountered

1 - unrecognized Next Header type encountered

2 - unrecognized IPv6 option encountered
100 Private Experimentation  
101 Private Experimentation  
102 - 126 Unassigned  
127 Reserved for expansion if ICMPv6 error messages  
128 Echo Request  
129 Echo Replay  
130 Multicast Listener Query  
131 Multicast Listener Report  
132 Multicast Listener Done  
133 Router Solicitation  
134 Router Advertisement  
135 Neighbor Solicitation  
136 Neighbor Advertisement  
137 Redirect Message  
138 Router Renumbering 0 - Router Renumbering Command

1 - Router Renumbering Result

255 - Sequence Number Reset
139 ICMP Node Information Query 0 - The Data field contains an IPv6 address which is the Subject of this Query.

1 - The Data field contains a name which is the Subject of this Query, or is empty, as in the case of a NOOP.

2 - The Data field contains an IPv4 address which is the Subject of this Query. 
140 ICMP Node

Information Response		 0 - A successful reply. The Reply Data field may or may not be empty.

1 - The Responder refuses to supply the answer. The Reply Data field will be empty.

2 - The Qtype of the Query is unknown to the Responder. The Reply Data field will be empty.
141 Inverse Neighbor Discovery Solicitation Message  
142 Inverse Neighbor Discovery Advertisement Message  
143 Version 2 Multicast Listener Report  
144 Home Agent Address Discovery Request Message  
145 Home Agent Address Discovery Reply Message  
146 Mobile Prefix Solicitation  
147 Mobile Prefix Advertisement  
148 Certification Path Solicitation Message  
149 Certification Path Advertisement Message  
150 ICMP messages utilized by experimental mobility protocols such as Seamoby  
151 Multicast Router Advertisement  
152 Multicast Router Solicitation  
153 Multicast Router Termination  
154 FMIPv6 Messages  
155 RPL Control Message  
156 ILNPv6 Locator Update Message  
157 Duplicate Address Request  
158 Duplicate Address Confirmation  
159 − 199 Unassigned  
200 Private experimentation  
201 Private experimentation  
255 Reserved for expansion of ICMPv6 informational messages  

IP

Internet Protocol (IP) is the primary part of the Network Layer of the OSI Model that is responsible for routing traffic across network boundaries. It is the protocol that is responsible for addressing. IPv4 is probable the version that most people are familiar with and it has been around since 1974. IPv6 is its current successor and due to a shortage of available IPv4 addresses compared to the explosive increase in the number of devices that use IP addresses, IPv6 is rapidly increasing in use.

When IP is chosen as the protocol type the available option to further specify the protocol is the protocol number. This is used to narrow down which protocol within the Internet Protocol Suite and provide a more granular control.

Protocol number

IP is responsible for more than the address that it is most commonly associated with and there are a number of associated protocols that make up the Network Layer. While there are not 256 of them, the field that identifies them is a numeric value between 0 and 256.

In the Internet Protocol version 4 (IPv4) [RFC791] there is a field called “Protocol” to identify the next level protocol. This is an 8 bit field. In Internet Protocol version 6 (IPv6) [RFC2460], this field is called the “Next Header” field.

Protocol Numbers
# Protocol Protocol's Full Name
0 HOPOPT IPv6 Hop-by-Hop Option
1 ICMP Internet Control Message Protocol
2 IGMP Internet Group Management
3 GGP Gateway-to-Gateway
4 IPv4 IPv4 encapsulation Protocol
5 ST Stream
6 TCP Transmission Control Protocol
7 CBT CBT
8 EGP Exterior Gateway Protocol
9 IGP Any private interior gateway (used by Cisco for their IGRP)
10 BBN-RCC-MON BBN RCC Monitoring
11 NVP-II Network Voice Protocol
12 PUP PUP
13 ARGUS ARGUS
14 EMCON EMCON
15 XNET Cross Net Debugger
16 CHAOS Chaos
17 UDP User Datagram Protocol
18 MUX Multiplexing
19 DCN-MEAS DCN Measurement Subsystems
20 HMP Host Monitoring
21 PRM Packet Radio Measurement
22 XNS-IDP XEROX NS IDP
23 TRUNK-1 Trunk-1
24 TRUNK-2 Trunk-2
25 LEAF-1 Leaf-1
26 LEAF-2 Leaf-2
27 RDP Reliable Data Protocol
28 IRTP Internet Reliable Transaction
29 ISO-TP4 ISO Transport Protocol Class 4
30 NETBLT Bulk Data Transfer Protocol
31 MFE-NSP MFE Network Services Protocol
32 MERIT-INP MERIT Internodal Protocol
33 DCCP Datagram Congestion Control Protocol
34 3PC Third Party Connect Protocol
35 IDPR Inter-Domain Policy Routing Protocol
36 XTP XTP
37 DDP Datagram Delivery Protocol
38 IDPR-CMTP IDPR Control Message Transport Proto
39 TP++ TP++ Transport Protocol
40 IL IL Transport Protocol
41 IPv6 IPv6 encapsulation
42 IPv6 SDRPSource Demand Routing Protocol
43 IPv6-Route Routing Header for IPv6
44 IPv6-Frag Fragment Header for IPv6
45 IDRP Inter-Domain Routing Protocol
46 RSVP Reservation Protocol
47 GRE General Routing Encapsulation
48 DSR Dynamic Source Routing Protocol
49 BNA BNA
50 ESP Encap Security Payload
51 AH Authentication Header
52 I-NLSP Integrated Net Layer Security TUBA
53 SWIPE IP with Encryption
54 NARP NBMA Address Resolution Protocol
55 MOBILE IP Mobility
56 TLSP Transport Layer Security Protocol using Kryptonet key management
57 SKIP SKIP
58 IPv6-ICMP ICMP for IPv6
59 IPv6-NoNxt No Next Header for IPv6
60 IPv6-Opts Destination Options for IPv6
61   any host internal protocol
62 CFTP CFTP
63   any local network
64 SAT-EXPAK SATNET and Backroom EXPAK
65 KRYPTOLAN Kryptolan
66 RVD MIT Remote Virtual Disk Protocol
67 IPPC Internet Pluribus Packet Core
68   any distributed file system
69 SAT-MON SATNET Monitoring
70 VISA VISA Protocol
71 IPCV Internet Packet Core Utility
72 CPNX Computer Protocol Network Executive
73 CPHB Computer Protocol Heart Beat
74 WSN Wang Span Network
75 PVP Packet Video Protocol
76 BR-SAT-MON Backroom SATNET Monitoring
77 SUN-ND SUN ND PROTOCOL-Temporary
78 WB-MON WIDEBAND Monitoring
79 WB-EXPAK WIDEBAND EXPAK
80 ISO-IP ISO Internet Protocol
81 VMTP VMTP
82 SECURE-VMTP SECURE-VMTP
83 VINES VINES
84 TTP TTP
84 IPTM Protocol Internet Protocol Traffic
85 NSFNET-IGP NSFNET-IGP
86 DGP Dissimilar Gateway Protocol
87 TCF TCF
88 EIGRP EIGRP
89 OSPFIGP OSPFIGP
90 Sprite-RPC Sprite RPC Protocol
91 LARP Locus Address Resolution Protocol
92 MTP Multicast Transport Protocol
93 AX.25 AX.25 Frames
94 IPIP IP-within-IP Encapsulation Protocol
95 MICP Mobile Internetworking Control Pro.
96 SCC-SP Semaphore Communications Sec. Pro.
97 ETHERIP Ethernet-within-IP Encapsulation
98 ENCAP Encapsulation Header
99   any private encryption scheme
100 GMTP GMTP
101 IFMP Ipsilon Flow Management Protocol
102 PNNI PNNI over IP
103 PIM Protocol Independent Multicast
104 ARIS ARIS
105 SCPS SCPS
106 QNX QNX
107 A/N Active Networks
108 IPComp IP Payload Compression Protocol
109 SNP Sitara Networks Protocol
110 Compaq-Peer Compaq Peer Protocol
111 IPX-in-IP IPX in IP
112 VRRP Virtual Router Redundancy Protocol
113 PGM PGM Reliable Transport Protocol
114   any 0-hop protocol
115 L2TP Layer Two Tunneling Protocol
116 DDX D-II Data Exchange (DDX)
117 IATP Interactive Agent Transfer Protocol
118 STP Schedule Transfer Protocol
119 SRP SpectraLink Radio Protocol
120 UTI UTI
121 SMP Simple Message Protocol
122 SM SM
123 PTP Performance Transparency Protocol
124 ISIS over IPv4  
125 FIRE  
126 CRTP Combat Radio Transport Protocol
127 CRUDP Combat Radio User Datagram
128 SSCOPMCE  
129 IPLT  
130 SPS Secure Packet Shield
131 PIPE Private IP Encapsulation within IP
132 SCTP Stream Control Transmission Protocol
133 FC Fibre Channel
134 RSVP-E2E-IGNORE  
135 Mobility Header  
136 UDPLite  
137 MPLS-in-IP  
138 manet  
139 HIP  
140 Shim6  
141 WESP  
142 ROHC
143 − 252 Unassigned Unassigned
253   Use for experimentation and testing
254   Use for experimentation and testing
255 Reserved  

Further information can be found by researching RFC 5237.

Service groups

Just like some of the other firewall components, services can also be bundled into groups for ease of administration.

Creating a service group

  1. Go to Policy & Objects > Objects > Services.
  2. Select the down arrow next to Create New, select Service Group.
  3. Input a Group Name for the list of services.
  4. Input any additional information in the Comments field.
  5. Choose a Type; either Firewall or Explicit Proxy.
  6. Next to Members there is a dropdown menu that can be used to select from the available Services. It is possible to select more than 1 entry. Just select the green plus sign next to the field to add an additional entry. Select the “X” icon in the field to remove an entry.
  7. Press OK.

Example scenario: Supporting audio/visual conferencing

The feature, and the transmitting of data for the purpose of, Tele-conferencing or Audio/Visual Conferencing is covered by a number of standards:

•  The IETF standard known as the Binary Floor Control Protocol (BFCP).

•  RFC 4582, for SIP-based video devices

•  The ITU standard H.239 (for H.323-based video devices)

While these standards have been set up by various authoritative bodies and can take place on different layers of the OSI model, they share common requirements that are addressed by the FortiGate firewall’s ability to manage the traffic and the protocols involved. This means that the same ability that make the device RFC 4582 compliant makes it compliant with H.239 as well.

To demonstrate how services and service groups are used we show the setup of a firewall that will need to support the connectivity of a video conferencing unit. The FortiGate does not manipulate or change the content of the traffic but it does allow for the traffic to pass through the device. In this case it allow for only the needed traffic to pass through the device so as to allow the functionality of Audio Visual Conference call but not to allow other traffic through.

The theoretical location for this scenario is a hospital that hosts conferences and lectures from doctors from all over the world, sometimes from multiple locations, using video conferencing technology such as a Polycom Video Conference system. There is a special room set up with dedicated Ethernet connectivity to the Internet. A hospital has a lot of sensitive information going over its network so the setup has to be secure to prevent any chance of penetration.

The approach is fairly simple. The conference room has a dedicated port on the FortiGate (port #7) and its own LAN. We will assume that the interface has already been configured properly. Video conference traffic can come from the Internet to the Polycom in that room and traffic can get out to the Internet, but traffic going to other areas of the hospital network have to go through the FortiGate and traffic going from the Video Conference LAN is thoroughly filtered.

To give an idea of how extensive this can be, we will use an extreme case and include just about all of the services that could be commonly used in one of these setups. The protocols listed here may differ from other setups. It will depend on which features are being used and which equipment is within the network. Always check the documentation that comes with the set up before opening ports into your network.

VIP

In this particular case there is an IP address set aside for the conferencing system so a separate VIP is not needed for every port. One Virtual IP will be created for the system and then only the approved of protocols will be allows through the firewall.

Name Vid-Conf_Room216
External Interface wan1
External IP Address/Range 256.87.212.51 – 256.87.212.51
Mapped IP Address/Range 192.168.7.25 – 192.168.7.25
Port Forwarding not selected

Creating an address for the subnet

In the same way that the VIP was created to identify and direct incoming traffic an address should be created to identify the addresses of computer that will be in the Conference room. This included computers on the LAN as well as the Teleconferencing equipment.

  1. Go to Policy & Objects > Objects > Addresses.
  2. Select Create New.
  3. Fill out the fields with the following information:
Category Address
Name Port7_subnet
Type Subnet
Subnet/IP Range 192.168.7.0/255.255.255.0
Interface port7
Show in address list checked

Configuring the services

Services already created:

The following are standard services that have already been created by default:

HTTP TCP 80
SNMP TCP 161-162/UDP 161-162
LDAP TCP 389
HTTPS TCP 443
SYSLOG UDP 514

Existing services to be edited:

There are a few services that have already been created for you, but they need to be expanded to accommodate the list of protocols listed for this scenario.

The default h323 contains:
  • TCP 1503
  • UDP 1719
  • TCP 1720
We need to add:
  • TCP1719
The default SIP contains:
  • UDP 5060
We need to add:
  • TCP 5060

H323 service

  1. Go to Policy & Objects > Objects > Services.
  2. Scroll down to the section: VoIP, Messaging & Other Applications.
  3. Select H323.
  4. Select Edit.
  5. In the Protocol section add the additional protocol:
Protocol Type TCP
Destination port /Low 1719
  1. Select OK to save.

SIP service

  1. Go to Policy & Objects > Objects > Services.
  2. Scroll down to the section: VoIP, Messaging & Other Applications.
  3. Select SIP.
  4. Select Edit.
  5. In the Protocol section add the additional protocol:
Protocol Type TCP
Destination port /Low 5060
  1. Select OK to save.

Custom services that need to be created

There are a number of possible services that may need to be added from scratch rather than editing existing ones. While it is possible to create a single custom service that contains all of the open ports needed, it make more sense to make this modular in case only a small subset of the service needs to be added to another policy.

Polycom API
  1. Go to Policy & Objects > Objects > Services.
  2. Select Create New.
  3. Fill in the fields of the new service with the following information:
Name Polycom API
Service Type Firewall
Category VoIP, Messaging & Other
Protocol Type TCP/UDP/SCTP
Protocol TCP/UDP/SCTP
Protocol TCP
Destination Port - Low: 24
Destination Port - High: <leave blank>
  1. Select OK.

Polycom endpoints

  1. Go to Policy & Objects > Objects > Services.
  2. Select Create New.
  3. Fill in the fields of the new service with the following information:
Name Polycom Endpoints
Service Type Firewall
Category VoIP, Messaging & Other
Protocol Type TCP/UDP/SCTP
Protocol TCP
Destination - Low: 3230
Destination - High: 3253
  1. Select OK.

Other Services to add in the same way:

Name of Service Category Protocol & Port #
LDAP secure communications Authentication TCP 636
Win 2000 ILS Registration Network Services TCP 1002
Gatekeeper discovery VoIP, Messaging & Other Applications TCP 1718
Audio Call Control VoIP, Messaging & Other Applications TCP 1731
Polycom proprietary Global directory data VoIP, Messaging & Other Applications TCP 3601
Polycom People+Content VoIP, Messaging & Other Applications TCP 5001
HTTP Server Push Web Access  

Creating the service group

  1. Go to Firewall Objects > Service > Groups.
  2. Select Create New.
  3. Build the Service group by filing in the fields with the following information
Group Name A-V_Conference
Type Firewall
Members
(click in the drop down menu to add the following services)		 •  HTTP
•  SNMP
•  LDAP
•  HTTPS
•  SYSLOG
•  Polycom API
•  Polycom Endpoints
•  LDAP secure communications
•  Win 2000 ILS Registration
•  Gatekeeper discovery
•  Audio Call Control
•  Polycom proprietary Global directory data
•  Polycom People+Content
•  HTTP Server Push

Creating the IPS security profile

This is by no means the only way to set up this IPS filter, but it is the way that the fictional System Administrator wants it set up. Yours may be different.

  1. Go to Security Profiles > Intrusion Protection > IPS Sensors.
  2. Create a new sensor.
Name A-V_Conference-incoming
  1. Select OK.
  2. In the newly created sensor, create a new IPS filter.
Sensor Type Filter Based
Filter Options Advanced
Severity •  Critical
•  High
•  Medium
•  Low
Target Server
OS Windows
Application •  IIS
•  other
Protocol
Use the [Show more...] option		 •  HTTP
•  LDAP
•  SIP
•  SSL
•  H323
Packet logging enabled

Based on these filters there should be somewhere in the neighborhood of 750 signatures that the FortiGate will run traffic against in the IPS engine.

Policies

Incoming policy

A policy has to be made to allow the traffic to come in from the Internet to connect to the Tele-conferencing server equipment.

  1. Go to Policy & Objects > Policy > IPv4.
  2. Select Create New.
  3. Fill out the fields with the following information:
Policy Type Firewall
Policy Subtype Address
Incoming Interface wan1
Source Address all
Outgoing Interface port7
Destination Address Vid-Conf_Room216
Schedule always
Service A-V_Conference
Action ACCEPT
Enable NAT <not enabled>
Logging Options Logging is a good idea but how much will depend on storage capabilities.
Security Profiles Turn on IPS and choose “A-V_Conference-incoming”
Traffic Shaping, Web cache, WAN Optimization, Disclaimer: The use of these features will depend on your network environment and should be decided by the network architect, as the decision will largely be based on network bandwidth, usage and importance of Video conferencing compared to other traffic.
  1. Select OK.

The policy will then need to be put in the correct position in the sequence of the policies. Because it is a rather focused policy it should be acceptable to place it near the top of the policy order sequence.

Outgoing policy

A policy has to be made to allow the traffic to leave from the subnet in the conference room to the Internet, not only for the traffic for the Tele-conferencing equipment but for normal traffic of users on the Internet such as web research and email. The traffic is outgoing so there is less of a need for an Intrusion Protection System filter, but check with the network architect in case there is a need for using one of the other security profiles.

  1. Go to Policy & Objects > Policy > IPv4.
  2. Select Create New.
  3. Fill out the fields with the following information:
Policy Type Firewall
Policy Subtype Address
Incoming Interface port7
Source Address Port7_subnet
Outgoing Interface wan1
Destination Address all
Schedule always
Service any
Action ACCEPT
Enable NAT enabled Use Destination Interface Address
Logging Options Logging is a good idea but how much will depend on storage capabilities.
Security Profiles <see above>
Traffic Shaping, Web cache, WAN Optimization, Disclaimer: The use of these features will depend on your network environment and should be decided by the network architect, as the decision will largely be based on network bandwidth, usage and importance of Video conferencing compared to other traffic.
  1. Select OK.

The policy will then need to be put in the correct position in the sequence of the policies.

 

Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy