Adding new services

Service, short for network service, means a service that is available on the network, e.g. file sharing, remote console access, or web browsing.

Services are most often described by what protocol and port they use.

18.4.1 Creating a new Internet service based on the default HTTP

In this example, it is assumed that there is a web server running on a computer, and the web server is configured to use a non-standard web port.

Normally a web server would serve TCP/IP port 80, but in this example it has been configured to serve port 8000. To enable connections to this server from the workstations you will have to create a new service. The standard HTTP service does not work here because we are not using the standard HTTP port any more. This new service isHTTP port 8000and it is based on the defaultHTTPservice.

1. Select the subdomain for which you want to create the new service in thePolicy domainstab.

2. Go to theSettingstab and open theFirewall servicespage. This page contains theFirewall servicestable.

3. Click theAddbutton to start theFirewall serviceswizard.

4. Enter a service name:

a) Define a unique name for the service in theService namefield; you cannot have two services with the same name.

For example,HTTP port 8000.

b) Enter a descriptive comment for the service in theService commentfield. The comment will be displayed on theFirewall servicestable.

5. Select an IP protocol number:

a) Select a protocol number for this service from theProtocoldrop-down list.

It contains the most commonly used protocols (TCP, UDP, ICMP). If your service uses any other protocol, refer to the table below and enter the respective number.

In this example, selectTCP (6)from theIP-protocol number:drop-down list.

Full name Protocol number

Protocol name

Internet Control Message Protocol

1 ICMP

Internet Group Management Protocol

2 IGMP

IPIP Tunnels (IP in IP) 4

IPIP

Transmission Control Protocol 6

TCP

Exterior Gateway Protocol 8

EGP

Xerox PUP routing protocol 12

PUP

User Datagram Protocol 17

UDP

Xerox NS Internet Datagram Protocol 22 IDP IP Version 6 encapsulation in IP version 4 41 IPV6

Resource Reservation Protocol 46

RSVP

Cisco Generic Routing Encapsulation (GRE) Tunnel 47

GRE

Encapsulation Security Payload protocol

50 ESP

Authentication Header protocol 51

AH

Protocol Independent Multicast 103

PIM

Compression Header protocol 108

COMP

Raw IP packets 255

RAW

6. Select the initiator ports:

If your service uses the TCP or UDP protocol, you need to define the initiator ports the service covers. The format for entering the ports and port ranges is as follows:

• >port: all ports higher thanport

• >=port: all ports equal and higher thanport

• <port: all ports lower thanport

• <=port: all ports equal and lower thanport

• port: only theport

• minport-maxport:minportandmaxportplus all ports between them (notice that there are no spaces on either side of the dash).

You can define comma-separated combinations of these items. For example ports 10, 11, 12, 100, 101, 200 and over 1023 can be defined as10-12, 100-101, 200, >1023.

7. Select responder ports:

If your service uses the TCP or UDP protocol, you need to define the responder ports the service covers.

In this example, define the responder port as8000.

8. Select a classification number for the service from the drop down list. You can accept the default value.

9. Select whether any extra filtering is to be applied for the traffic allowed by the service you are creating, in addition to the normal packet and stateful filtering.

In this example you can accept the default,Disabled.

Note: When the service uses TCP protocol, and you do not have application control enabled, you can selectActive mode FTPfrom theExtra filteringdrop-down menu.Active mode FTP

requires special handling from the firewall, as the information about the port that should be opened for the connection is included in the transferred data.

10.You can review your rule now.

If you need to make any changes to the rule, clickBackthrough the rule.

11.ClickFinishto close the rule wizard.

The rule you just created is now displayed on theFirewall rulestable.

12.Take the new rule into use:

To take this new service into use you will have to create a new Internet Shield rule that allows the use of theHTTP 8000firewall service in the currently used Internet Shield security level. In this case you can select the new service on theRule wizard>Servicepage and you do not have to define any alerts on theRule Wizard>Advanced optionspage.

Troubleshooting

This section contains troubleshooting information and frequently asked questions about Policy Manager.

Topics:

• Policy Manager Server and

Policy Manager Console If you encounter problems when using the product, you can find

possible solutions in this section. • Policy Manager Web Reporting