Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sjweinstein
New Contributor

Using CLI to create service objects

i am starting to use CLI more and have this script to create a service object but it seems to override each set command and only the last TCP and UDP are applied.  what am i doing wrong?

 

config firewall service custom edit WINDOWS_AD_SERVICES set category "Network Services" set protocol TCP/UDP/SCTP set udp-portrange 53 set tcp-portrange 53 set udp-portrange 88 set tcp-portrange 88 set udp-portrange 123 set tcp-portrange 135 set udp-portrange 137 set udp-portrange 138 set tcp-portrange 139 set udp-portrange 389 set tcp-portrange 389 set tcp-portrange 445 set udp-portrange 464 set tcp-portrange 464 set tcp-portrange 636 set tcp-portrange 3268 3269 set tcp-portrange 49152 65535 set tcp-portrange 1024 5000 next end

 

result

XXXXXXXXX (custom) # get WINDOWS_AD_SERVICESname                : WINDOWS_AD_SERVICESproxy               : disablecategory            : Network Servicesprotocol            : TCP/UDP/SCTPhelper              : autocheck-reset-range   : defaultcomment             : Windows Active Directorycolor               : 0visibility          : enableiprange             :fqdn                :tcp-portrange       : 1024 5000udp-portrange       : 464sctp-portrange      :tcp-halfclose-timer : 0tcp-halfopen-timer  : 0tcp-timewait-timer  : 0udp-idle-timer      : 0session-ttl         : 0

 

stuart_weinstein@baxter.com
stuart_weinstein@baxter.com
2 REPLIES 2
lobstercreed
Valued Contributor

Hey Stuart,

 

With most CLI objects (address or service groups for example), the proper syntax is to use "append" instead of "set", but it seems that is not the case when defining a firewall service.  You need all of your ports on one line, like set udp-portrange 53 88 123 137 ... and so on...

 

This isn't necessarily the most practical, and obviously there are many discrete services you're referencing here (DNS, NTP, KERBEROS, etc). What I would do instead is define your various custom services (or use default ones where applicable) and create a service group instead that combines all the ones you want.

 

Hope that points you in the right direction.  - Daniel

sjweinstein
New Contributor

Thanks for the response, i did see the 'error of my ways later last night, coming of a dff firewall vendor i was 'doing what i know'   A 'group' would make more sense in some cases if Fortinet has predefined all of the ports AD ports.   Would be nice if the had all of then in the pre-defined object provided but i do ask to much

stuart_weinstein@baxter.com
stuart_weinstein@baxter.com
Labels
Top Kudoed Authors