Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎04-08-2009 01:00 AM Edited on ‎02-13-2025 08:07 AM By Moderator

Article Id 192672

Technical Tip: Configuring a 'Custom Service' in FortiOS

Description

 

This article describes how to configure a 'custom service' in FortiOS.

 

In Fortinet terminology, a Custom Service is a user defined service that has not already been created.  A service can be thought of as a Traffic type and will include the service protocol type, TCP, UDP or ICMP for example, as well as the logical destination ports.

This article describes the steps required in configuring a new 'custom' service. This includes the destination port as well as the transport layer protocol used (TCP, UDP). 

In this example, the new service will be called 'My Service'.


Scope

 

Applies to FortiGate in NAT mode or Transparent mode.


Solution

 

To create a custom service using the FortiGate GUI:

  1. Go to: Policy & Objects -> Services.

  2. Select Create New

  3. Enter a name for the service, choose a Category (if desired), and select a Protocol Type. In this example, TCP/UDP/SCTP is selected.


    Screenshot_1.jpg

     

  4. Define the IP Range or FQDN. Note that this setting is for destination IP range or FQDN and it is optional. 

  5. Select TCP, UDP, or SCTP from Protocol.

  6. Enter the destination ports as the ports for the service.

  7. Leave source ports as unspecified or set them as 1-65535. This is a very common mistake.

  8. Select OK.

  9. With the custom service now created, the option to use this service in a policy now exists.

 

Screenshot_2.jpg

 

Note that in FortiOS, a custom service can be created while creating a new policy. This is done using the 'Create' option while selecting a service as part of this policy. See below:

Screenshot_3.jpg


Testing.

 

Pass the traffic through the FortiGate unit and check the session table from the 'FortiView Sessions' page. Note that in some cases, if the custom service is not properly configured or applied to a Firewall Policy, the corresponding traffic might be blocked or match a wrong Firewall Policy. Hence the procedures that follow is as below:

 

Go to Dashboard -> FortiView Sessions. Set up a filter based on the port.

 
Make sure the Policy matches the correct Firewall Policy. It will be useful to make sure that this traffic hits the correct Firewall Policy by ID

 

To create a custom service using the CLI, enter the following commands:

 

config firewall service custom

        edit <name>

           set protocol TCP/UDP/SCTP or ICMP, ICMP6, IP

           set tcp-portrange <destination port range>

           set udp-portrange <destination port range>

                next

    end

 

For example:

 

config firewall service custom

        edit <name>

           set protocol TCP/UDP/SCTP

           set tcp-portrange 1-65535

           set udp-portrange 1-65535

                next

    end


Activation.

 

Once the service is created, apply it to a firewall policy to take effect.

If the Service of the user is not properly configured, traffic will not pass, or will pass in a wrong Firewall Policy.

Labels:
16903
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.