- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Custom services
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Custom services
Hi all,
I have observed that when using the creating 2 custom services using the same port number, the firewall will recognise that port number globally with only one of the custom services, therefore if anything else arrives on at a policy on that port number it does not work correctly.
For example, two custom services exist, HTTP and WebBrowsing, both with TCP 80 as the configured port. If I create firewall policy 1 with the HTTP service allowed from host A, and firewall policy 2 with the WebBrowsing service allowed from host B, only one of them will be allowed through. Looking at the logs I can see that all TCP 80 traffic will be classified with service HTTP, and thus when traffic hits policy 2 and HTTP is not allowed (because WebBrowsing has been selected in this policy) the traffic is dropped.
Is this expected behaviour? Is it not possible to have services classified multiple times?
Thanks BenHi Support,
I have observed that when using the creating 2 custom services using the same port number, the firewall will recognise that port number globally with only one of the custom services, therefore if anything else arrives on at a policy on that port number it does not work correctly.
For example, two custom services exist, HTTP and WebBrowsing, both with TCP 80 as the configured port. If I create firewall policy 1 with the HTTP service allowed from host A, and firewall policy 2 with the WebBrowsing service allowed from host B, only one of them will be allowed through. Looking at the logs I can see that all TCP 80 traffic will be classified with service HTTP, and thus when traffic hits policy 2 and HTTP is not allowed (because WebBrowsing has been selected in this policy) the traffic is dropped.
Is this expected behaviour? Is it not possible to have services classified multiple times?
Cheers!
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems to be an issue with the product.
I just tried to replicate and ended up having exactly the same issue. Than I compared the default HTTP service to the new custom one and figured that when you build the custom service, it creates the value of the " tcp-portrange" attribute incorrectly.
HTTP:
set tcp-portrange 80
WebBrowsing:
set tcp-portrange 80:0
Then edited the object and removed the :0 in CLI than it worked as expected.
I' d suggest to log a ticket with Fortinet Support as it appears to be a bug in version 5.2 (not sure what version you are using, though)
BTW
# config firewall service custom
(custom) # edit WebBrowsing
(WebBrowsing) # set tcp-portrange 80
(WebBrowsing) # next
And voilà , it' s back to normal again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have seen the issue with the appended :0 already and have raised a ticket with Fortinet on this - I will let you know the response.
I am running 5.0.8 at the moment.
So when you had both WebBrowsing AND HTTP, did the firewall pass both, regardless of which was in the policy?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, it blocked the access with WebBrowsing service just like in your case, until I fixed the service definition in CLI.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, but once you changed it, did it pass both?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it did.
Related Posts
Labels
-
FortiGate
6,815 -
FortiClient
1,352 -
5.2
801 -
5.4
639 -
FortiManager
585 -
FortiAnalyzer
431 -
6.0
416 -
5.6
362 -
FortiAP
352 -
FortiSwitch
348 -
FortiClient EMS
276 -
FortiMail
266 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
164 -
6.4
128 -
FortiNAC
114 -
FortiGuard
108 -
FortiSIEM
92 -
FortiGateCloud
90 -
IPsec
90 -
FortiCloud Products
85 -
FortiToken
74 -
SSL-VPN
73 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
42 -
Fortivoice
41 -
SD-WAN
37 -
FortiDNS
35 -
FortiExtender
34 -
FortiGate v5.4
34 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
FortiAuthenticator
24 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
DNS
15 -
LDAP
15 -
FortiMonitor
14 -
BGP
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Authentication
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
SSO
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.