Create custom Service elements

Create a custom Service element if you need to match a protocol or port number that is not represented by the default Service elements. You can also use a custom Service element to change the properties of a Service element.

IP-based services are used in Access rules and NAT rules. Make sure that know which underlying protocol the traffic you want to allow uses, and be aware of whether you must define a protocol number or a port number. Usually, the Services you define yourself are TCP-based or UDP-based and are identified by the port number they use. However, there are many common protocols that are not TCP-based or UDP-based (for example, ICMP and RPC) and are identified by other information.

Example: The GRE protocol is transported directly over IP as protocol number 47 - on the same layer as TCP (#6) and UDP (#17). Therefore, any custom Services created for TCP and UDP ports 47 do not allow GRE to pass the Engine.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Expand the Other Elements tree and select Services.
  3. Create the Service element in one of the following ways:
    • To create an element with no settings predefined, right-click the branch for the type of Service you want to create, then select New > [Service type] Service.
    • To create a Service based on some other Service element, right-click the existing Service, then select New > Duplicate.
  4. Give the new Service a unique Name and write an optional Comment.
  5. Configure the following options depending on the protocol:
    Table 1. Required options for each protocol
    Protocol Option
    TCP and UDP Dst. Ports (Optional)
    Src. Ports (Optional)
    ICMP Type
    Code (Optional)
    SUN RPC Program Number
    Version (Optional)
    Allow TCP (Optional)
    Allow UDP (Optional)
    IP Code
    IANA assigns the protocol codes. See https://⁠www.iana.org for a list.
  6. (Optional) To associate the Service with a Protocol element, click Select next to the Protocol field and select a Protocol element.
    Selecting the Protocol is mandatory if the Service is used in an Access rule that directs packets to deep inspection against the inspection rules. Some types of traffic might require a Protocol element of the type Protocol Agent.
  7. (Optional, not available for all Protocol elements) Set more options on the Protocol Parameters tab.
  8. Click OK.

UDP Service Properties dialog box

Use this dialog box to configure a custom UDP Service element.

Option Definition
General tab
Protocol Displays the Service protocol.
Name Specifies the Service name.
Comment An optional comment for your own reference.
Dst. Ports

(Optional)

Specifies the destination port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields.

(Either source or destination port is mandatory.)

Src. Ports

(Optional)

Specifies the source port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields.

(Either source or destination port is mandatory.)

Protocol Shows the assigned protocol. Click Select to select a Protocol Agent.
Category Shows the assigned category. Click Select to include the element in predefined categories.
Option Definition
Protocol Parameters tab, when Protocol is DNS or SSM DNS Proxy (UDP)
Enforce DNS protocol usage
  • On — The engine terminates traffic that is not using the DNS protocol.
  • Off — The engine allows traffic to pass even if the traffic is not DNS-related.
Deny DDNS updates
  • On — The engine terminates traffic that is not actually using the DNS protocol.
  • Off — The engine allows traffic to pass even if the traffic is not DNS-related.
Deny DNS zone transfers
  • On — The engine terminates DNS zone transfer messages.
  • Off — The engine allows DNS zone transfer messages to pass.
Enforce Google SafeSearch
  • On — The engine modifies DNS replies for Google search engines to enforce Google's SafeSearch feature.
  • Off — The engine does not modify DNS replies.
Enforce strict Bing SafeSearch
  • On — The engine modifies DNS replies for Bing search engines to enforce Bing’s SafeSearch feature.
  • Off — The engine does not modify DNS replies.
Enforce strict DuckDuckGo SafeSearch
  • On — The engine modifies DNS replies for DuckDuckGo search engines to enforce DuckDuckGo’s SafeSearch feature.
  • Off — The engine does not modify DNS replies.
Enable YouTube Safesearch
Select the safesearch mode from the drop-down list:
  • Strict: Filter out inappropriate videos from your search results.
  • Moderate: This setting is similar to Strict Mode but makes a much larger collection of videos available.
  • Off: Use this setting to turn off both Modes (Strict and Moderate). Only apply this setting if you want to let users in your organization to have unrestricted YouTube access.
DNS Sinkholing

Specify the domain name or URL list in the Domain Names column, and the response value (NXDOMAIN, or IPv4 address, or IPv6 address) in the Response column. If the Response column is left empty, no sinkholing action is performed. When the engine detects a DNS request that matches the entry in the Domain Names column, the request is allowed, or blocked, or a DNS response is returned for the IP address as per the response value that is specified.

To add a domain name or URL list to the DNS Sinkholing table, do the following:
  1. Click Add. A row is added with the None element under the Domain Name column.
  2. Right-click the None element, and then select Edit Domain Name. The Select Element dialog-box is displayed.
  3. Select the Domain Name or the URL List applications element.
    Note: If you want to add a new domain name or a URL list, then right-click in the Select Element dialog-box and then select the New Domain Name or the New URL List Application option. For more details on domain name or URL list, refer to Defining Domain Name elements or Add URL List Application elements to manually block or allow URLs sections in the Forcepoint FlexEdge Secure SD-WAN Product Guide.
  4. Select a domain name or a URL list.
  5. Click OK.
To remove a domain name or URL list from the DNS Sinkholing table, do the following:
  1. Select the row that you want to remove from the DNS Sinkholing table.
  2. Click Remove.
  3. Click OK.

Similar to access rules, the rows in the DNS Sinkholing table are processed in the order top to down. Hence, rows to process first to match traffic must be placed above other rows in the table.

To move a row up or down in the Sinkholing table, select the row and click Up or Down.

Note:
  1. Policy installation to engine must be done after the domain names or URL lists are added or updated.
  2. The DNS Sinkholing feature is used for user DNS requests and the safe search feature is used for modifying DNS responses. If both the DNS Sinkholing and the safe search features are enabled, then DNS sinkholing is performed and safe search is ignored.
Option Definition
Protocol Parameters tab, when Protocol is NetBIOS
Make corresponding NAT modifications to payload
  • On — If inserted in a NAT rule, the addresses relayed in the NetBIOS communications are translated according to the NAT rule.
  • Off — Only the IP addresses in packet headers are translated if inserted in a NAT rule.
Option Definition
Protocol Parameters tab, when Protocol is Protocol Identification
SSL/TLS decryption and inspection Controls whether to decrypt SSL/TLS encryption.
  • For Application Identification — SSL/TLS traffic is decrypted for inspection only when application detection is used.
  • No — SSL/TLS traffic is not decrypted for inspection.
  • Yes — Enables SSL/TLS decryption and inspection.
HTTPS Inspection Exceptions Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption.

Click Select to select an HTTP Inspection Exceptions element.

Option Definition
Protocol Parameters tab, when Protocol is SIP
Allow Related Connections

(Engine only)

  • On — Allows SIP media connections based on the signaling connection.
  • Off — Protocol Agent is disabled.
Enforce client side media
  • Yes — Requires that the media stream uses the same client-side address as the transport layer.
  • No — Media stream can use any address.
Enforce server side media
  • Yes — Requires that the media stream uses the same server-side address as the transport layer.
  • No — Media stream can use any address.
Maximum number of calls The maximum number of calls allowed by the Access rule. If the value is 0, no limit is set for the number of calls.
Option Definition
Protocol Parameters tab, when Protocol is SunRPC
Learn RPC program number to port mapping for future RPC service matches When selected, Protocol Agent is enabled.
Option Definition
Protocol Parameters tab, when Protocol is TFTP or SSM TFTP Proxy
Allow Related Connections
  • On — Allows data connections to be opened with the control connection.
  • Off — Protocol Agent is disabled.
Allow read
  • Yes — Allows file transfer from server to client (downloads).
  • No — Downloads are not allowed.
Allow write
  • Yes — Allows file transfer from client to server (uploads).
  • No — Uploads are not allowed.
Log filename and paths
  • Yes — Names of transferred files and their paths are included in generated log entries.
  • No — File and path information is not available in logs.
Option Definition
Reset Discards the changes and reverts to the previously saved default settings.
Option Definition
Protocol Parameters tab, when Protocol is QUIC
Discard QUIC if inspection not possible
  • No — QUIC traffic is allowed and enables QUIC inspection.
  • Yes — QUIC traffic is discarded and web browsers uses TLS for traffic inspection if QUIC is not permitted.
  • Default — QUIC traffic is allowed and QUIC inspection is enabled.

TCP Service Properties dialog box

Use this dialog box to configure a custom TCP Service element.

Option Definition
General tab
Protocol Displays the protocol.
Name The name of the element.
Comment

(Optional)

 A comment for your own reference.
Dst. Ports

(Optional)

Specifies the destination port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields.

(Either source or destination port is mandatory.)

Src. Ports

(Optional)

Specifies the source port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields.

(Either source or destination port is mandatory.)

Protocol Shows the assigned protocol. Click Select to select a Protocol Agent.
Category

(Optional)

 Includes the element in predefined categories. Click Select to select a category.
Option Definition
Protocol Parameters tab, common options
Reset Discards the changes and reverts to the previously saved default settings. Not available for all protocols.
Option Definition
Protocol Parameters tab, when Protocol is DNS or SSM DNS Proxy (TCP)
Enforce DNS protocol usage
  • On — The engine terminates traffic that is not using the DNS protocol.
  • Off — The engine allows traffic to pass even if the traffic is not DNS-related.
Deny DDNS updates
  • On — The engine terminates traffic that is not using the DNS protocol.
  • Off — The engine allows traffic to pass even if the traffic is not DNS-related.
Deny DNS zone transfers
  • On — The engine terminates DNS zone transfer messages.
  • Off — The engine allows DNS zone transfer messages to pass.
Enforce Google SafeSearch
  • On — The engine modifies DNS replies for Google search engines to enforce Google's SafeSearch feature.
  • Off — The engine does not modify DNS replies.
Enforce strict Bing SafeSearch
  • On — The engine modifies DNS replies for Bing search engines to enforce Bing’s SafeSearch feature.
  • Off — The engine does not modify DNS replies.
Enforce strict DuckDuckGo SafeSearch
  • On — The engine modifies DNS replies for DuckDuckGo search engines to enforce DuckDuckGo’s SafeSearch feature.
  • Off — The engine does not modify DNS replies.
Enable YouTube Safesearch
Select the safesearch mode from the drop-down list:
  • Strict: Filter out inappropriate videos from your search results.
  • Moderate: This setting is similar to Strict Mode but makes a much larger collection of videos available.
  • Off: Use this setting to turn off both Modes (Strict and Moderate). Only apply this setting if you want to let users in your organization to have unrestricted YouTube access.
DNS Sinkholing

Specify the domain name or URL list in the Domain Names column, and the response value (NXDOMAIN, or IPv4 address, or IPv6 address) in the Response column. If the Response column is left empty, no sinkholing action is performed. When the engine detects a DNS request that matches the entry in the Domain Names column, the request is allowed, or blocked, or a DNS response is returned for the IP address as per the response value that is specified.

To add a domain name or URL list to the DNS Sinkholing table, do the following:
  1. Click Add. A row is added with the None element under the Domain Name column.
  2. Right-click the None element, and then select Edit Domain Name. The Select Element dialog-box is displayed.
  3. Select the Domain Name or the URL List applications element.
    Note: If you want to add a new domain name or a URL list, then right-click in the Select Element dialog-box and then select the New Domain Name or the New URL List Application option. For more details on domain name or URL list, refer to Defining Domain Name elements or Add URL List Application elements to manually block or allow URLs sections in the Forcepoint FlexEdge Secure SD-WAN Product Guide.
  4. Select a domain name or a URL list.
  5. Click OK.
To remove a domain name or URL list from the DNS Sinkholing table, do the following:
  1. Select the row that you want to remove from the DNS Sinkholing table.
  2. Click Remove.
  3. Click OK.

Similar to access rules, the rows in the DNS Sinkholing table are processed in the order top to down. Hence, rows to process first to match traffic must be placed above other rows in the table.

To move a row up or down in the Sinkholing table, select the row and click Up or Down.

Note:
  1. Policy installation to engine must be done after the domain names or URL lists are added or updated.
  2. The DNS Sinkholing feature is used for user DNS requests and the safe search feature is used for modifying DNS responses. If both the DNS Sinkholing and the safe search features are enabled, then DNS sinkholing is performed and safe search is ignored.
Option Definition
Protocol Parameters tab, when Protocol is FTP or SSM FTP Proxy
Allow related connections
  • On — Allows data connections to be opened with the control connection.
  • Off — Disables the Protocol Agent.
Allow active mode
  • Yes — Server is allowed to open data connections to the client (according to information exchanged in the control connection).
  • No — Server-initiated data connections are forbidden.
Allow passive mode
  • Yes — Client is allowed to open data connections to the server (according to information exchanged in the control connection).
  • No — Client-initiated data connections are forbidden.
Control data inspection mode

(Engine only)
  • Strict — If commands that do not comply with the RFC 959 FTP standard are used, the connection is dropped.
  • Loose — The Protocol Agent tries to identify information for opening the data connection even if the communications do not strictly follow the FTP standards. Sometimes needed with non-standard FTP configurations.

Highest allowed source port for Active data connection

or

Lowest allowed source port for Active data connection

(Engine only)

 Enter a port value to limit the range of allowed source ports for active data connections on the server.

Value 0 for the lowest port means that the server always uses the port number immediately preceding the destination port. If the server uses a standard port, both the lowest and highest port number must be 0.

Redirect to Proxy Server

(Engine only)

Select the Proxy Server to which the connections are redirected.

Note: The recommended method for forwarding traffic to a proxy service is to use Access rules.

(Optional) Specify the IP Address Translation Range (IPv4 only) and the Port Translation Range for the redirection. To specify a single IP address, enter the same IP address in both fields.

Note: This option is not supported for SSM Proxies.
Option Definition
Protocol Parameters tab, when Protocol is HTTP or HTTPS
Logging of Accessed URLs
  • Yes — The URLs of sites that users access are included in generated log entries.
    Note: With HTTPS traffic, requires that the traffic is decrypted.
  • No — URLs are not included in generated log entries.
Optimized server stream fingerprinting
  • Yes — When matching connections to the Inspection rules, the server stream matching is done only for patterns that are valid for the client’s browser type and version.
  • No — All server stream patterns are matched.
Enforce Google SafeSearch
  • On — The engine modifies DNS replies for Google search engines to enforce Google's SafeSearch feature.
  • Off — The engine does not modify DNS replies.
HTTPS decryption and inspection

(HTTPS only)

Controls whether to decrypt HTTPS traffic.
  • For Application Identification — HTTPS traffic is decrypted for inspection only when application detection is used.
  • Yes — Enables HTTPS decryption and inspection.
  • No — HTTPS traffic is not decrypted for inspection.
HTTPS Inspection Exceptions

(HTTPS only)

Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption.

Click Select to select an HTTP Inspection Exceptions element.
(Engine only)  
Strip QUIC support from server replies Specifies the following options:
  • Yes: HTTP header that indicates the server support for HTTP3/QUIC is stripped away.
  • No: HTTP header that indicates the server support for HTTP3/QUIC is not stripped away.
Note: For HTTPS, stripping can be done only if HTTPS is being decrypted with TLS Inspection.
Redirect to Proxy Server

(Engine only)

Select the Proxy Server to which the connections are redirected.

Note: The recommended method for forwarding traffic to a proxy service is to use Access rules.

(Optional) Specify the IP Address Translation Range (IPv4 only) and the Port Translation Range for the redirection. To specify a single IP address, enter the same IP address in both fields.

Note: This option is not supported for SSM Proxies.
Option Definition
Protocol Parameters tab, when Protocol is HTTP with SSM HTTP Proxy
Logging of Accessed URLs
  • Yes — The URLs of sites that users access are included in generated log entries.
    Note: With HTTPS traffic, requires that the traffic is decrypted.
  • No — URLs are not included in generated log entries.
Optimized server stream fingerprinting
  • Yes — When matching connections to the Inspection rules, the server stream matching is done only for patterns that are valid for the client’s browser type and version.
  • No — All server stream patterns are matched.
Redirect to Proxy Server This option is not supported for SSM Proxies.
Enforce Google SafeSearch
  • On — The engine modifies DNS replies for Google search engines to enforce Google's SafeSearch feature.
  • Off — The engine does not modify DNS replies.
Enforce Strict Headers When selected, the proxy blocks HTTP requests and responses that do not comply with the HTTP protocol standards.
Log URLs When selected, the proxy logs the URLs in HTTP requests.
Request Validation When selected, the proxy validates HTTP requests. Selecting this option enables options in the following sections:
  • URL Control Options
  • URL Matches
  • Commands
URL Control Options section Specifies options for validation of URLs.
Disallow Unicode in URL Paths When selected, unicode-encoded text is not allowed in URL paths.
Disallow Unicode URL Queries When selected, unicode-encoded text is not allowed in query strings in URLs.
Enforce Strict URL Paths When selected, the proxy blocks URL paths that contain characters that are not allowed by the HTTP protocol standards.
Enforce Strict URL Queries When selected, the proxy blocks queries that contain characters that are not allowed by the HTTP protocol standards.
URL Normalization Validation Specifies how URL normalization is applied to HTTP requests.
  • Allow — Allows the request.
  • Allow and Log — Allows the request and creates a log entry.
  • Block and Log — Blocks the request and creates a log entry.
  • Off — URL normalization is not enabled.
Maximum URL Length Specifies the maximum number of characters allowed in URLs.
Require HTTP Version When selected, the proxy requires the HTTP request to include an HTTP version string. Selecting this option enables the following options:
  • Allow HTTP version 1.0
  • Allow HTTP version 1.1
Allow HTTP version 1.0 When selected, the proxy allows HTTP requests that specify HTTP version 1.0 as the version string.
Allow HTTP version 1.1 When selected, the proxy allows HTTP requests that specify HTTP version 1.1 as the version string.
URL Matches section Specifies rules for allowing or denying matching URLs.
Allow or Deny Specified URL Matches Specifies whether matching URLs are allowed or denied.
  • Allow — Matching URLs are allowed.
  • Deny — Matching URLs are denied.
URL Match List Specifies the criteria for matching URLs.
Match Type Specifies how the proxy matches the match criteria in the URL.
  • Contains — Matches when the URL contains the specified criteria.
  • Begins with — Matches when the URL begins with the specified criteria.
  • Ends with — Matches when the URL ends with the specified criteria.
Match Parameter Specifies the part of the URL where the proxy checks for the match criteria.
  • Host — The proxy checks the domain name for the match criteria.
  • Path — The proxy checks the URL path for the match criteria.
  • All — The proxy checks both the host and the path for the match criteria.
URL The matching criteria for the URL.
Add Adds a row to the table.
Remove Removes the selected row from the table.
Commands section Specifies the commands that the proxy allows in HTTP requests.
Allowed HTTP Commands
  • Any — The proxy allows any commands in HTTP requests.
  • Selected from List — The proxy allows only the selected commands in HTTP requests.
Content Control Specifies options for allowing or denying content in HTTP requests.
Deny SOAP When selected, the proxy denies the use of simple object access protocol (SOAP) in HTTP requests.
Option Definition
Protocol Parameters tab, when Protocol is HTTP with SSM TCP Proxy or HTTPS with SSM TCP Proxy
Logging of Accessed URLs
  • Yes — The URLs of sites that users access are included in generated log entries.
    Note: With HTTPS traffic, requires that the traffic is decrypted.
  • No — URLs are not included in generated log entries.
Optimized server stream fingerprinting
  • Yes — When matching connections to the Inspection rules, the server stream matching is done only for patterns that are valid for the client’s browser type and version.
  • No — All server stream patterns are matched.
Redirect to Proxy Server

(Engine only)

Select the Proxy Server to which the connections are redirected.

Note: The recommended method for forwarding traffic to a proxy service is to use Access rules.

(Optional) Specify the IP Address Translation Range (IPv4 only) and the Port Translation Range for the redirection. To specify a single IP address, enter the same IP address in both fields.

Note: This option is not supported for SSM Proxies.
Enforce Google SafeSearch
  • On — The engine modifies DNS replies for Google search engines to enforce Google's SafeSearch feature.
  • Off — The engine does not modify DNS replies.
HTTPS decryption and inspection

(HTTPS only)

Controls whether to decrypt HTTPS traffic.
  • For Application Identification — HTTPS traffic is decrypted for inspection only when application detection is used.
  • Yes — Enables HTTPS decryption and inspection.
  • No — HTTPS traffic is not decrypted for inspection.
HTTPS Inspection Exceptions

(HTTPS only)

Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption.

Click Select to select an HTTP Inspection Exceptions element.
Option Definition
Protocol Parameters tab, when Protocol is H232
Allow related connections
  • On — The Protocol Agent monitors the H.323 connection and allows the related connections in Access and NAT rules.
  • Off — Disables the Protocol Agent.
Allow special logical channels through (No NAT)
  • Yes — Allows H.323 clients to open a special logical channel for audio and video without NAT.
  • No — Special logical channels are not allowed.
Option Definition
Protocol Parameters tab, when Protocol is IMAPS
IMAPS decryption and inspection Controls whether to decrypt SSL/TLS encryption.
  • For Application Identification — SSL/TLS traffic is decrypted for inspection only when application detection is used.
  • No — SSL/TLS traffic is not decrypted for inspection.
  • Yes — Enables SSL/TLS decryption and inspection.
IMAPS Inspection Exceptions Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption. Click Select to select an HTTP Inspection Exceptions element.
Option Definition
Protocol Parameters tab, when Protocol is MSRPC
Allow related connections
  • On — Allows responses sent by the endpoint mapper (EPM) service.
  • Off — Disables the Protocol Agent.
Allow MS Exchange Remote administration service
  • Yes — Allows remote administration of the Microsoft Exchange server through the Exchange System Attendant service.
  • No — Prevents remote administration.
Allow MS Exchange user services
  • Yes — Allows the normal use of the Microsoft Outlook client; the Protocol Agent allows the use of Exchange Database service, Directory service, Information Store service, MTA service, and Store service.
  • No — Prevents end-user services.
Allow any UUID in endpoint mapping
  • Yes — Allows other MSRPC requests in addition to Outlook/Exchange.
  • No — The Service allows only Outlook/Exchange traffic.
Allow other RPC traffic
  • Yes — Allows message types that are not supported by the Protocol Agent to bypass the control connection.
  • No — Allows only supported message types (bind, bind ack, request, and response).
Option Definition
Protocol Parameters tab, when Protocol is Oracle
Allow related connections
  • On — Allows database connection based on information in the listener connection.
  • Off — Disables the Protocol Agent.
Max. length allowed for one TNS packet Enter the maximum amount of TCP payload data that each Oracle TNS packet is allowed to carry.
Netmask for allowed server addresses Enter a netmask for limiting the allowed traffic. The value 255.255.255.255 allows the database connection only to the address in which the Oracle Listener service is located. The value 0.0.0.0 allows database connections to all addresses.
Set checksum to zero for modified TNS packets
  • Yes — Resets the header and packet checksums to zero when the Protocol Agent modifies the packet payload data.
  • No — Checksums remain even when the packet is changed.
Option Definition
Protocol Parameters tab, when Protocol is POP3S
POP3S decryption and inspection Controls whether to decrypt SSL/TLS encryption.
  • For Application Identification — SSL/TLS traffic is decrypted for inspection only when application detection is used.
  • No — SSL/TLS traffic is not decrypted for inspection.
  • Yes — Enables SSL/TLS decryption and inspection.
POP3S Inspection Exceptions Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption. Click Select to select an HTTP Inspection Exceptions element.
Option Definition
Protocol Parameters tab, when Protocol is Protocol Identification
SSL/TLS decryption and inspection Controls whether to decrypt SSL/TLS encryption.
  • For Application Identification — SSL/TLS traffic is decrypted for inspection only when application detection is used.
  • No — SSL/TLS traffic is not decrypted for inspection.
  • Yes — Enables SSL/TLS decryption and inspection.
HTTPS Inspection Exceptions Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption.
Option Definition
Protocol Parameters tab, when Protocol is RTSP
Allow related connections
  • On — Related RTP and RTCP connections initiated with RTSP are allowed through the engine.
  • Off — Disables the Protocol Agent.
Option Definition
Protocol Parameters tab, when Protocol is Shell
Allow related connections
  • On — Standard error (stderr) stream is allowed through the engine as a response to an RSH command.
  • Off — Disables the Protocol Agent.
Option Definition
Protocol Parameters tab, when Protocol is SIP
Allow related connections

(Engine only)

  • On — Allows SIP media connections based on the signaling connection.
  • Off — Disables the Protocol Agent.
Enforce client side media
  • Yes — Requires that the media stream uses the same client-side address as the transport layer.
  • No — Media stream can use any address.
Enforce server side media
  • Yes — Requires that the media stream uses the same server-side address as the transport layer.
  • No — Media stream can use any address.
Maximum number of calls The maximum number of calls allowed by the Access rule. If the value is 0, no limit is set for the number of calls.
Option Definition
Protocol Parameters tab, when Protocol is SMTP
Redirect to Proxy Server

(Engine only)

Select the Proxy Server to which the connections are redirected.

Note: The recommended method for forwarding traffic to a proxy service is to use Access rules.

(Optional) Specify the IP Address Translation Range (IPv4 only) and the Port Translation Range for the redirection. To specify a single IP address, enter the same IP address in both fields.

Note: This option is not supported for SSM Proxies.
Option Definition
Protocol Parameters tab, when Protocol is SSH or SSH with SSM TCP Proxy
Make protocol validation
  • On — Validates the SSH transfers according to the parameters defined in this dialog.
  • Off — Disables the Protocol Agent.
Bytes allowed from client before Server ID Amount of data that the client is allowed to send to the server before the server sends its own identification string.
Bytes allowed from server before Client ID Amount of data that the server can send to the client before the client sends its own identification string.
Bytes allowed from server before Server ID Amount of data that the server can send to the client before the server sends its own identification string.
Option Definition
Protocol Parameters tab, when Protocol is SunRPC
Learn RPC program number to port mapping for future RPC service matches When selected, Protocol Agent is enabled.
Option Definition
Protocol Parameters tab, when Protocol is TCP Proxy
Abort on close Timeout in seconds for aborting a connection counted from when one of the communicating parties initiates the connection closing. The connection is aborted by sending TCP Reset packets to the unresponsive endpoint. Setting this value to 0 disables this timeout (connections are left open).
Idle timeout Timeout in seconds for closing a connection after the latest transmission. Setting this value to 0 disables this timeout (connections are left open).
Use proxy
  • On — Enables the Protocol Agent.
  • Off — Disables the Protocol Agent.

IP-proto Service Properties dialog box

Use this dialog box to configure a custom IP-proto Service element.

Option Definition
General tab
Protocol Displays the Service protocol.
Name Specifies the Service name.
Comment An optional comment for your own reference.
Protocol Number Specifies the Service protocol number.
Protocol Shows the assigned protocol.
Select Opens the Protocol Agent dialog box.
Category Shows the assigned category.
Select Opens the Category Selection for New Element dialog box.
Option Definition
Protocol Parameters tab, when Protocol is GRE
Apply Tunnel Rematch
  • On — Rematches the encapsulated payload inside the tunneling packet until the maximum rematch count defined in the engine properties is reached.
  • Off — Does not rematch encapsulated payload.
Tunnel IPv4 protocol
  • On — Allows tunneling over IPv4.
  • Off — Stops connections that are tunneled over IPv4.
Tunnel IPv6 protocol
  • On — Allows tunneling over IPv6.
  • Off — Stops connections that are tunneled over IPv6.
Option Definition
Protocol Parameters tab, when Protocol is IPv4 Encapsulation
Apply Tunnel Rematch
  • On — Rematches the encapsulated IPv4 payload inside the IPv6 tunneling packet until the maximum rematch count defined in the engine properties is reached.
  • Off — Does not rematch encapsulated payload.
Next Ethernet Type For information only. Shows the Ethernet frame type used for examining the encapsulated packet.
Option Definition
Protocol Parameters tab, when Protocol is IPv6 Encapsulation
Apply Tunnel Rematch
  • On — Rematches the encapsulated IPv6 payload inside the IPv6 tunneling packet until the maximum rematch count defined in the engine properties is reached.
  • Off — Does not rematch encapsulated payload.
Next Ethernet Type For information only. Shows the Ethernet frame type used for examining the encapsulated packet.
Option Definition
Reset Discards the changes and reverts to the previously saved default settings.

SUN-RPC Service Properties dialog box

Use this dialog box to define the properties of a SUN-RPC Service.

Option Definition
Protocol Displays the Service protocol.
Name Specifies the Service name.
Comment An optional comment for your own reference.
Program Number Specifies the program number.
Version

(Optional)

Specifies the remote program version number. If you do not enter a program version, the element matches traffic of any version.
TCP Traffic Allowed

(Optional)

Allows the RPC message when transported over TCP.
UDP Traffic Allowed

(Optional)

Allows the RPC message when transported over UDP.
Category Shows the assigned category.
Select Opens the Category Selection for New Element dialog box.

ICMP Service Properties dialog box

Use this dialog box to configure an ICMP Service.

Option Definition
Protocol Displays the Service protocol.
Name Specifies the Service name.
Comment An optional comment for your own reference.
Type Specifies the ICMP type number that the traffic uses.
Code

(Optional)

Specifies the ICMP code that the traffic uses. If the Code field is empty, the Service matches traffic regardless of the ICMP code. If you enter 0 as the code, the Service matches only packets that contain no ICMP code.
Category Shows the assigned category.
Select Opens the Category Selection for New Element dialog box.

ICMPv6 Service Properties dialog box

Use this dialog box to define the properties of an ICMPv6 Service.

Option Definition
Protocol Displays the Service protocol.
Name Specifies the Service name.
Comment An optional comment for your own reference.
Type Specifies the ICMP type number that the traffic uses.
Code

(Optional)

Specifies the ICMP code that the traffic uses. If the Code field is empty, the Service matches traffic regardless of the ICMP code. If you enter 0 as the code, the Service matches only packets that contain no ICMP code.
Category Shows the assigned category.
Select Opens the Category Selection for New Element dialog box.