Create custom Service elements
Create a custom Service element if you need to match a protocol or port number that is not represented by the default Service elements. You can also use a custom Service element to change the properties of a Service element.
IP-based services are used in Access rules and NAT rules. Make sure that know which underlying protocol the traffic you want to allow uses, and be aware of whether you must define a protocol number or a port number. Usually, the Services you define yourself are TCP-based or UDP-based and are identified by the port number they use. However, there are many common protocols that are not TCP-based or UDP-based (for example, ICMP and RPC) and are identified by other information.
Example: The GRE protocol is transported directly over IP as protocol number 47 - on the same layer as TCP (#6) and UDP (#17). Therefore, any custom Services created for TCP and UDP ports 47 do not allow GRE to pass the Engine.
For more details about the product and how to configure features, click Help or press F1.
Steps
UDP Service Properties dialog box
Use this dialog box to configure a custom UDP Service element.
Option | Definition |
---|---|
General tab | |
Protocol | Displays the Service protocol. |
Name | Specifies the Service name. |
Comment | An optional comment for your own reference. |
Dst. Ports
(Optional) |
Specifies the destination port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields.
(Either source or destination port is mandatory.) |
Src. Ports
(Optional) |
Specifies the source port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields.
(Either source or destination port is mandatory.) |
Protocol | Shows the assigned protocol. Click Select to select a Protocol Agent. |
Category | Shows the assigned category. Click Select to include the element in predefined categories. |
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is DNS or SSM DNS Proxy (UDP) | |
Enforce DNS protocol usage |
|
Deny DDNS updates |
|
Deny DNS zone transfers |
|
Enforce Google SafeSearch |
|
Enforce strict Bing SafeSearch |
|
Enforce strict DuckDuckGo SafeSearch |
|
Enable YouTube Safesearch |
Select the safesearch mode from the drop-down list:
|
DNS Sinkholing |
Specify the domain name or URL list in the Domain Names column, and the response value (NXDOMAIN, or IPv4 address, or IPv6 address) in the Response column. If the Response column is left empty, no sinkholing action is performed. When the engine detects a DNS request that matches the entry in the Domain Names column, the request is allowed, or blocked, or a DNS response is returned for the IP address as per the response value that is specified. To add a domain name or URL list to the DNS Sinkholing table, do the following:
To remove a domain name or URL list from the DNS Sinkholing table, do the following:
Similar to access rules, the rows in the DNS Sinkholing table are processed in the order top to down. Hence, rows to process first to match traffic must be placed above other rows in the table. To move a row up or down in the Sinkholing table, select the row and click Up or Down. Note:
|
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is NetBIOS | |
Make corresponding NAT modifications to payload |
|
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is Protocol Identification | |
SSL/TLS decryption and inspection | Controls whether to decrypt SSL/TLS encryption.
|
HTTPS Inspection Exceptions | Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without
decryption. Click Select to select an HTTP Inspection Exceptions element. |
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is SIP | |
Allow Related Connections
(Engine only) |
|
Enforce client side media |
|
Enforce server side media |
|
Maximum number of calls | The maximum number of calls allowed by the Access rule. If the value is 0, no limit is set for the number of calls. |
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is SunRPC | |
Learn RPC program number to port mapping for future RPC service matches | When selected, Protocol Agent is enabled. |
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is TFTP or SSM TFTP Proxy | |
Allow Related Connections |
|
Allow read |
|
Allow write |
|
Log filename and paths |
|
Option | Definition |
---|---|
Reset | Discards the changes and reverts to the previously saved default settings. |
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is QUIC | |
Discard QUIC if inspection not possible |
|
TCP Service Properties dialog box
Use this dialog box to configure a custom TCP Service element.
Option | Definition |
---|---|
General tab | |
Protocol | Displays the protocol. |
Name | The name of the element. |
Comment (Optional) |
A comment for your own reference. |
Dst. Ports
(Optional) |
Specifies the destination port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields.
(Either source or destination port is mandatory.) |
Src. Ports
(Optional) |
Specifies the source port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields.
(Either source or destination port is mandatory.) |
Protocol | Shows the assigned protocol. Click Select to select a Protocol Agent. |
Category (Optional) |
Includes the element in predefined categories. Click Select to select a category. |
Option | Definition |
---|---|
Protocol Parameters tab, common options | |
Reset | Discards the changes and reverts to the previously saved default settings. Not available for all protocols. |
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is DNS or SSM DNS Proxy (TCP) | |
Enforce DNS protocol usage |
|
Deny DDNS updates |
|
Deny DNS zone transfers |
|
Enforce Google SafeSearch |
|
Enforce strict Bing SafeSearch |
|
Enforce strict DuckDuckGo SafeSearch |
|
Enable YouTube Safesearch |
Select the safesearch mode from the drop-down list:
|
DNS Sinkholing |
Specify the domain name or URL list in the Domain Names column, and the response value (NXDOMAIN, or IPv4 address, or IPv6 address) in the Response column. If the Response column is left empty, no sinkholing action is performed. When the engine detects a DNS request that matches the entry in the Domain Names column, the request is allowed, or blocked, or a DNS response is returned for the IP address as per the response value that is specified. To add a domain name or URL list to the DNS Sinkholing table, do the following:
To remove a domain name or URL list from the DNS Sinkholing table, do the following:
Similar to access rules, the rows in the DNS Sinkholing table are processed in the order top to down. Hence, rows to process first to match traffic must be placed above other rows in the table. To move a row up or down in the Sinkholing table, select the row and click Up or Down. Note:
|
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is FTP or SSM FTP Proxy | |
Allow related connections |
|
Allow active mode |
|
Allow passive mode |
|
Control data inspection mode
(Engine only) |
|
Highest allowed source port for Active data connection or Lowest allowed source port for Active data connection (Engine only) |
Enter a port value to limit the range of allowed source ports for active data connections on the server. Value 0 for the lowest port means that the server always uses the port number immediately preceding the destination port. If the server uses a standard port, both the lowest and highest port number must be 0. |
Redirect to Proxy Server
(Engine only) |
Select the Proxy Server to which the connections are redirected. Note: The recommended method for forwarding traffic to a proxy service is to use Access rules.
(Optional) Specify the IP Address Translation Range (IPv4 only) and the Port Translation Range for the redirection. To specify a single IP address, enter the same IP address in both fields. Note: This option is not supported for SSM Proxies.
|
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is HTTP or HTTPS | |
Logging of Accessed URLs |
|
Optimized server stream fingerprinting |
|
Enforce Google SafeSearch |
|
HTTPS decryption and inspection
(HTTPS only) |
Controls whether to decrypt HTTPS traffic.
|
HTTPS Inspection Exceptions
(HTTPS only) |
Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or
allowed to pass without decryption. Click Select to select an HTTP Inspection Exceptions element. |
(Engine only) | |
Strip QUIC support from server replies | Specifies the following options:
Note: For HTTPS, stripping can be done only if HTTPS is being decrypted with TLS Inspection.
|
Redirect to Proxy Server
(Engine only) |
Select the Proxy Server to which the connections are redirected. Note: The recommended method for forwarding traffic to a proxy service is to use Access rules.
(Optional) Specify the IP Address Translation Range (IPv4 only) and the Port Translation Range for the redirection. To specify a single IP address, enter the same IP address in both fields. Note: This option is not supported for SSM Proxies.
|
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is HTTP with SSM HTTP Proxy | |
Logging of Accessed URLs |
|
Optimized server stream fingerprinting |
|
Redirect to Proxy Server | This option is not supported for SSM Proxies. |
Enforce Google SafeSearch |
|
Enforce Strict Headers | When selected, the proxy blocks HTTP requests and responses that do not comply with the HTTP protocol standards. |
Log URLs | When selected, the proxy logs the URLs in HTTP requests. |
Request Validation | When selected, the proxy validates HTTP requests. Selecting this option enables options in the following sections:
|
URL Control Options section | Specifies options for validation of URLs. |
Disallow Unicode in URL Paths | When selected, unicode-encoded text is not allowed in URL paths. |
Disallow Unicode URL Queries | When selected, unicode-encoded text is not allowed in query strings in URLs. |
Enforce Strict URL Paths | When selected, the proxy blocks URL paths that contain characters that are not allowed by the HTTP protocol standards. |
Enforce Strict URL Queries | When selected, the proxy blocks queries that contain characters that are not allowed by the HTTP protocol standards. |
URL Normalization Validation | Specifies how URL normalization is applied to HTTP requests.
|
Maximum URL Length | Specifies the maximum number of characters allowed in URLs. |
Require HTTP Version | When selected, the proxy requires the HTTP request to include an HTTP version string. Selecting this
option enables the following options:
|
Allow HTTP version 1.0 | When selected, the proxy allows HTTP requests that specify HTTP version 1.0 as the version string. |
Allow HTTP version 1.1 | When selected, the proxy allows HTTP requests that specify HTTP version 1.1 as the version string. |
URL Matches section | Specifies rules for allowing or denying matching URLs. |
Allow or Deny Specified URL Matches | Specifies whether matching URLs are allowed or denied.
|
URL Match List | Specifies the criteria for matching URLs. |
Match Type | Specifies how the proxy matches the match criteria in the URL.
|
Match Parameter | Specifies the part of the URL where the proxy checks for the match criteria.
|
URL | The matching criteria for the URL. |
Add | Adds a row to the table. |
Remove | Removes the selected row from the table. |
Commands section | Specifies the commands that the proxy allows in HTTP requests. |
Allowed HTTP Commands |
|
Content Control | Specifies options for allowing or denying content in HTTP requests. |
Deny SOAP | When selected, the proxy denies the use of simple object access protocol (SOAP) in HTTP requests. |
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is HTTP with SSM TCP Proxy or HTTPS with SSM TCP Proxy | |
Logging of Accessed URLs |
|
Optimized server stream fingerprinting |
|
Redirect to Proxy Server
(Engine only) |
Select the Proxy Server to which the connections are redirected. Note: The recommended method for forwarding traffic to a proxy service is to use Access rules.
(Optional) Specify the IP Address Translation Range (IPv4 only) and the Port Translation Range for the redirection. To specify a single IP address, enter the same IP address in both fields. Note: This option is not supported for SSM Proxies.
|
Enforce Google SafeSearch |
|
HTTPS decryption and inspection
(HTTPS only) |
Controls whether to decrypt HTTPS traffic.
|
HTTPS Inspection Exceptions
(HTTPS only) |
Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or
allowed to pass without decryption. Click Select to select an HTTP Inspection Exceptions element. |
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is H232 | |
Allow related connections |
|
Allow special logical channels through (No NAT) |
|
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is IMAPS | |
IMAPS decryption and inspection | Controls whether to decrypt SSL/TLS encryption.
|
IMAPS Inspection Exceptions | Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption. Click Select to select an HTTP Inspection Exceptions element. |
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is MSRPC | |
Allow related connections |
|
Allow MS Exchange Remote administration service |
|
Allow MS Exchange user services |
|
Allow any UUID in endpoint mapping |
|
Allow other RPC traffic |
|
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is Oracle | |
Allow related connections |
|
Max. length allowed for one TNS packet | Enter the maximum amount of TCP payload data that each Oracle TNS packet is allowed to carry. |
Netmask for allowed server addresses | Enter a netmask for limiting the allowed traffic. The value 255.255.255.255 allows the database connection only to the address in which the Oracle Listener service is located. The value 0.0.0.0 allows database connections to all addresses. |
Set checksum to zero for modified TNS packets |
|
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is POP3S | |
POP3S decryption and inspection | Controls whether to decrypt SSL/TLS encryption.
|
POP3S Inspection Exceptions | Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption. Click Select to select an HTTP Inspection Exceptions element. |
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is Protocol Identification | |
SSL/TLS decryption and inspection | Controls whether to decrypt SSL/TLS encryption.
|
HTTPS Inspection Exceptions | Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption. |
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is RTSP | |
Allow related connections |
|
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is Shell | |
Allow related connections |
|
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is SIP | |
Allow related connections
(Engine only) |
|
Enforce client side media |
|
Enforce server side media |
|
Maximum number of calls | The maximum number of calls allowed by the Access rule. If the value is 0, no limit is set for the number of calls. |
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is SMTP | |
Redirect to Proxy Server
(Engine only) |
Select the Proxy Server to which the connections are redirected. Note: The recommended method for forwarding traffic to a proxy service is to use Access rules.
(Optional) Specify the IP Address Translation Range (IPv4 only) and the Port Translation Range for the redirection. To specify a single IP address, enter the same IP address in both fields. Note: This option is not supported for SSM Proxies.
|
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is SSH or SSH with SSM TCP Proxy | |
Make protocol validation |
|
Bytes allowed from client before Server ID | Amount of data that the client is allowed to send to the server before the server sends its own identification string. |
Bytes allowed from server before Client ID | Amount of data that the server can send to the client before the client sends its own identification string. |
Bytes allowed from server before Server ID | Amount of data that the server can send to the client before the server sends its own identification string. |
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is SunRPC | |
Learn RPC program number to port mapping for future RPC service matches | When selected, Protocol Agent is enabled. |
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is TCP Proxy | |
Abort on close | Timeout in seconds for aborting a connection counted from when one of the communicating parties initiates the connection closing. The connection is aborted by sending TCP Reset packets to the unresponsive endpoint. Setting this value to 0 disables this timeout (connections are left open). |
Idle timeout | Timeout in seconds for closing a connection after the latest transmission. Setting this value to 0 disables this timeout (connections are left open). |
Use proxy |
|
IP-proto Service Properties dialog box
Use this dialog box to configure a custom IP-proto Service element.
Option | Definition |
---|---|
General tab | |
Protocol | Displays the Service protocol. |
Name | Specifies the Service name. |
Comment | An optional comment for your own reference. |
Protocol Number | Specifies the Service protocol number. |
Protocol | Shows the assigned protocol. |
Select | Opens the Protocol Agent dialog box. |
Category | Shows the assigned category. |
Select | Opens the Category Selection for New Element dialog box. |
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is GRE | |
Apply Tunnel Rematch |
|
Tunnel IPv4 protocol |
|
Tunnel IPv6 protocol |
|
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is IPv4 Encapsulation | |
Apply Tunnel Rematch |
|
Next Ethernet Type | For information only. Shows the Ethernet frame type used for examining the encapsulated packet. |
Option | Definition |
---|---|
Protocol Parameters tab, when Protocol is IPv6 Encapsulation | |
Apply Tunnel Rematch |
|
Next Ethernet Type | For information only. Shows the Ethernet frame type used for examining the encapsulated packet. |
Option | Definition |
---|---|
Reset | Discards the changes and reverts to the previously saved default settings. |
SUN-RPC Service Properties dialog box
Use this dialog box to define the properties of a SUN-RPC Service.
Option | Definition |
---|---|
Protocol | Displays the Service protocol. |
Name | Specifies the Service name. |
Comment | An optional comment for your own reference. |
Program Number | Specifies the program number. |
Version
(Optional) |
Specifies the remote program version number. If you do not enter a program version, the element matches traffic of any version. |
TCP Traffic Allowed
(Optional) |
Allows the RPC message when transported over TCP. |
UDP Traffic Allowed
(Optional) |
Allows the RPC message when transported over UDP. |
Category | Shows the assigned category. |
Select | Opens the Category Selection for New Element dialog box. |
ICMP Service Properties dialog box
Use this dialog box to configure an ICMP Service.
Option | Definition |
---|---|
Protocol | Displays the Service protocol. |
Name | Specifies the Service name. |
Comment | An optional comment for your own reference. |
Type | Specifies the ICMP type number that the traffic uses. |
Code
(Optional) |
Specifies the ICMP code that the traffic uses. If the Code field is empty, the Service matches traffic regardless of the ICMP code. If you enter 0 as the code, the Service matches only packets that contain no ICMP code. |
Category | Shows the assigned category. |
Select | Opens the Category Selection for New Element dialog box. |
ICMPv6 Service Properties dialog box
Use this dialog box to define the properties of an ICMPv6 Service.
Option | Definition |
---|---|
Protocol | Displays the Service protocol. |
Name | Specifies the Service name. |
Comment | An optional comment for your own reference. |
Type | Specifies the ICMP type number that the traffic uses. |
Code
(Optional) |
Specifies the ICMP code that the traffic uses. If the Code field is empty, the Service matches traffic regardless of the ICMP code. If you enter 0 as the code, the Service matches only packets that contain no ICMP code. |
Category | Shows the assigned category. |
Select | Opens the Category Selection for New Element dialog box. |