Policy not matching with custom service

rcmorgan · ‎11-28-2014

I have a Fortigate 200D with FortiOS 5.0 Patch 9 (build 0292).

I created address objects & custom service for a particular vendor (EMC), then used them in a policy. if I change the policy to allow "all" services it works and only logs accesses on port 443. The custom service includes (per EMC) ports 443 & 8443. If I change the rule to include the HTTPS service it works. I'm assuming I did something wrong creating the custom service, but I'm including the whole script I used in case someone can spot something else I did wrong.

Here's the custom service definition:

config firewall service custom edit "EMC_ESRS_Svcs" set category "My Custom Services" set comment "EMC ESRS" set tcp-portrange 443:443 8443:8443 next

Any assistance would be greatly appreciated,

Roger Morgan

rcmorgansec@morganemail.net

config firewall address edit "EMC_ESRS_A" set associated-interface "wan1" set type iprange set end-ip 128.221.192.14 set start-ip 128.221.192.13 next edit "EMC_ESRS_B" set associated-interface "wan1" set type iprange set end-ip 128.221.204.213 set start-ip 128.221.204.210 next edit "EMC_ESRS_C" set associated-interface "wan1" set type iprange set end-ip 137.69.120.172 set start-ip 137.69.120.170 next edit "EMC_ESRS_D" set associated-interface "wan1" set type iprange set end-ip 152.62.45.13 set start-ip 152.62.45.11 next edit "EMC_ESRS_E" set associated-interface "wan1" set type iprange set end-ip 152.62.177.13 set start-ip 152.62.177.11 next edit "EMC_ESRS_F" set associated-interface "wan1" set type iprange set end-ip 168.159.209.13 set start-ip 168.159.209.11 next edit "EMC_ESRS_G" set associated-interface "wan1" set type iprange set end-ip 168.159.218.21 set start-ip 168.159.218.20 next end config firewall addrgrp edit "EMC_ESRS_Addresses" set comment "EMC ESRS Addresses" set member "EMC_ESRS_A" "EMC_ESRS_B" "EMC_ESRS_C" "EMC_ESRS_D" "EMC_ESRS_E" "EMC_ESRS_F" "EMC_ESRS_G" next end config firewall service custom edit "EMC_ESRS_Svcs" set category "My Custom Services" set comment "EMC ESRS" set tcp-portrange 443:443 8443:8443 next end config firewall policy edit 24 set srcintf "lan" set dstintf "wan1" set srcaddr "all" set dstaddr "EMC_ESRS_Addresses" set action accept set schedule "always" set service "EMC_ESRS_Svcs" set utm-status enable set logtraffic all set ips-sensor "protect_client" set profile-protocol-options "default" set nat enable next end

ede_pfau · ‎11-28-2014

hello,

and welcom to the forums.

A service is defined by it's destination port - the source port is random and not significant.

In your definition you filled in a source port which will never be used (source port needs to be > 1023) so this service will never match.

Define your custom service like this:

source port from: 0 to: 0 ("0" denotes "all" in FortiOS)

dest port from: 8443 to: 8443

Then either create a custom service group and add the HTTPS service, or use your custom service in the policy, and add HTTPS there. That depends on whether you want to reuse it elsewhere. I'd rather prefer the custom service group with a telling name.

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

ede_pfau · ‎11-28-2014