Getting started with Service elements

Service elements specify a network protocol, as well as source or destination ports for TCP and UDP traffic.

You can use Service elements to match rules to traffic in Ethernet rules (Ethernet Services), Access rules, and NAT rules.

Services can refer to Protocol elements, which activate further inspection checks and advanced traffic handling. Some Protocol elements have additional options that you can set in the Service element’s properties.

Most of the time, you can use the default Service elements to represent standard protocols and ports. For example, you can enforce safe search features on the NGFW Engine by using predefined Services elements in Access rules. However, you might need to create a custom Service in the following cases:
  • If none of the default Service elements match the type of traffic you want to allow, for example, if some TCP or UDP service in your network uses a non-standard port.
  • If you want to set options for advanced traffic handling, for example:
    • Access rules that disallow the use of either the active or passive FTP connection mode
    • Firewall Access rules for redirection to proxy services
    • Firewall Access rules and Firewall NAT rules for protocols that assign ports dynamically inside the packet payload

Figure: Elements in the Services configuration

The configuration of Service elements consists of the following general steps:
  1. Create a Service element that matches the correct protocol number and port number (if applicable).
  2. (Optional) Select one of the default Protocol elements if you want the traffic to be inspected further or if you want to use a Protocol Agent.
  3. (Optional) Add the Service to a Service Group to make it easier to insert several related Services into configurations.