Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Problem with custom services
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem with custom services
Fortigate 100D running v5.0,build0292 (GA Patch 9)
I have created two custom services TCP 9100 and UDP 47808. I created two different policies one policy using each of the custom services. The firewall is blocking both of the services. The only way I can get the traffic through is to change the policy to allow all services. I even tried all allow ALL_UDP but upd/47808 was still being blocked. Currently I do have AV and IPS security profiles assigned to the policies, but I did try disabling all security services and the traffic was still being blocked. I have several other policies that are using custom services. The firmware was upgraded prior to any policies or services being created on this firewall. In other words, a firmware upgrade has not been done between the creation of the policies using custom services that are working and the creation of the policies using custom service that are not working. Any help would be greatly appreciated.
Below is a copy of the policies that aren't working
edit 13 set srcintf "port1" set dstintf "SSN300" set srcaddr "10.18.21.55" "172.30.128.17" "172.30.120.17" set dstaddr "10.69.1.119" "10.69.1.120" set action accept set schedule "always" set service "UDP-47808" set logtraffic all set capture-packet enable set comments "LGH\'s Siemens server to CSC panels"
edit 14 set srcintf "Aesynt370" set dstintf "port1" set srcaddr "Aesynt_Devices" set dstaddr "10.69.0.19" set action accept set schedule "always" set service "TCP_9100" set utm-status enable set logtraffic all set comments "Aesynt devices to printer" set av-profile "default" set ips-sensor "protect_client" set profile-protocol-options "default"
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you check the custom service from CLI do you see :0 after portrnage
config firewall service custom edit "TCP_9100" set tcp-portrange 9100:0
If you see portrange 9100:0 it is a problem.
Either from cli just set tcp-portrange 9100
Of in Webui in source port start make it blank insted or 0.
18 REPLIES 18
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Most of the time when setting up custom services is it's the target port that you are setting up -- the source port should be left at 0-65535.
Also make sure you move these firewall policies above any general firewall policy rules so they are executed; firewall policies are executed from top-to-bottom.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dave Hall wrote:Most of the time when setting up custom services is it's the target port that you are setting up -- the source port should be left at 0-65535.
[attachImg]https://forum.fortinet.com/download.axd?file=0;119911&where=message&f=Custom-Service.gif[/attachImg]
Also make sure you move these firewall policies above any general firewall policy rules so they are executed; firewall policies are executed from top-to-bottom.
I did configure the destination port as 9100 and 47808 and the source ports are configured as 0-65535. The other policies are not conflicting. I confirmed this by moving the new policies to the top of the list (the two policies I'm having problems with are on different firewall interfaces)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would next try to monitor the policy when you change it to 'all' to see if any other services are required in addition to the one you specified. Something else may be required that's not documented. It's happened before. (ask me how I know...)
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HP printing is (at least in one place, here: http://www.speedguide.net/port.php?port=9100) reported to use port 9100 TCP and UDP. Try the policy with the custom service extended by 9100/udp.
Be sure that the (test) traffic hits the intended policy. You can peek into the data stream in the CLI (console window) with
diag deb ena
diag sniffer packet <portname> 'port 9100' 4 0 a. If the reason for blocking is not obvious please post the diag output here.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ede_pfau wrote:HP printing is (at least in one place, here: http://www.speedguide.net/port.php?port=9100) reported to use port 9100 TCP and UDP. Try the policy with the custom service extended by 9100/udp.
Be sure that the (test) traffic hits the intended policy. You can peek into the data stream in the CLI (console window) with
diag deb ena
diag sniffer packet <portname> 'port 9100' 4 0 a. If the reason for blocking is not obvious please post the diag output here.
I added 9100/udp.I noticed in the logs viewed form the GUI when I allow all ports the log shows the firewall allowed the traffic with Policy ID 14 (which is correct), but if I change the policy to use SNMP, TCP/UDP 9100 it denies the traffic and references Policy ID 0 Below are the results of diag and screen shot of the log.
2877.264883 Aesynt370 -- 10.69.1.74.55560 -> 10.69.0.19.9100: syn 2258148774
2880.266262 Aesynt370 -- 10.69.1.74.55560 -> 10.69.0.19.9100: syn 2258148774
2886.268582 Aesynt370 -- 10.69.1.74.55560 -> 10.69.0.19.9100: syn 2258148774
2903.260723 Aesynt370 -- 10.69.1.74.55566 -> 10.69.0.19.9100: syn 1633740168
2906.261716 Aesynt370 -- 10.69.1.74.55566 -> 10.69.0.19.9100: syn 1633740168
2912.263047 Aesynt370 -- 10.69.1.74.55566 -> 10.69.0.19.9100: syn 1633740168
2929.265156 Aesynt370 -- 10.69.1.74.55571 -> 10.69.0.19.9100: syn 3922942513
2932.261121 Aesynt370 -- 10.69.1.74.55571 -> 10.69.0.19.9100: syn 3922942513
2938.266460 Aesynt370 -- 10.69.1.74.55571 -> 10.69.0.19.9100: syn 3922942513
2960.269988 Aesynt370 -- 10.69.1.74.55576 -> 10.69.0.19.9100: syn 3384196890
2963.272789 Aesynt370 -- 10.69.1.74.55576 -> 10.69.0.19.9100: syn 3384196890
2969.275128 Aesynt370 -- 10.69.1.74.55576 -> 10.69.0.19.9100: syn 3384196890
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kalysta wrote:set srcaddr "10.18.21.55" "172.30.128.17" "172.30.120.17"
set dstaddr "10.69.1.119" "10.69.1.120"
[...]
set dstaddr "10.69.0.19"
I'm not a big fan of address object labels using IP addresses - could/can lead to problems further down the road -- can you confirm these address labels are type subnet?
Policy #13 doesn't show NAT enabled, so are the devices at "10.69.1.119" "10.69.1.120" going to allow those 3 IP addresses to connect to them?
Regarding policy#14, if the dest or target device "10.69.0.19" is a network printer, you will want to log into it and confirmed it is setup/configured to allow the "Aesynt_Devices" to "talk" to it -- if this is not possible you may want to enable NAT on that policy as a possible work-around.
Regarding whether policies are working or not, if you do not want to get into the whole debug/sniffer stuff, you can always enable the count column on the policy screen.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dave Hall wrote:kalysta wrote:set srcaddr "10.18.21.55" "172.30.128.17" "172.30.120.17"
set dstaddr "10.69.1.119" "10.69.1.120"
[...]
set dstaddr "10.69.0.19"
I'm not a big fan of address object labels using IP addresses - could/can lead to problems further down the road -- can you confirm these address labels are type subnet?
Policy #13 doesn't show NAT enabled, so are the devices at "10.69.1.119" "10.69.1.120" going to allow those 3 IP addresses to connect to them?
Regarding policy#14, if the dest or target device "10.69.0.19" is a network printer, you will want to log into it and confirmed it is setup/configured to allow the "Aesynt_Devices" to "talk" to it -- if this is not possible you may want to enable NAT on that policy as a possible work-around.
Regarding whether policies are working or not, if you do not want to get into the whole debug/sniffer stuff, you can always enable the count column on the policy screen.
[attachImg]https://forum.fortinet.com/download.axd?file=0;119956&where=message&f=column count.gif[/attachImg]
I have confirmed the address objects are type subnet. I have attached a pic of one of the address objects
Policy #13 10.69.119 and 10.69.1.120 are already allowing the 3 IP address to communicate via telnet and ping. I also see communication on 47808/udp when configure the policy to allow all services so I don't think it has anything to do with the devices.
Policy #14 I have confirmed the printer is configured correctly and everything works fine when I configure the policy to allow all services.
I enabled the count column when I first created the rules. The count is going up but that is because each policy is allowing other services through. However, I will create a separate rule for the services I am having problems with.
Below is the output of diag sniffer packet Aesynt370 'port 9100' and I attached a screenshot from the GUI log
2877.264883 Aesynt370 -- 10.69.1.74.55560 -> 10.69.0.19.9100: syn 2258148774
2880.266262 Aesynt370 -- 10.69.1.74.55560 -> 10.69.0.19.9100: syn 2258148774
2886.268582 Aesynt370 -- 10.69.1.74.55560 -> 10.69.0.19.9100: syn 2258148774
2903.260723 Aesynt370 -- 10.69.1.74.55566 -> 10.69.0.19.9100: syn 1633740168
2906.261716 Aesynt370 -- 10.69.1.74.55566 -> 10.69.0.19.9100: syn 1633740168
2912.263047 Aesynt370 -- 10.69.1.74.55566 -> 10.69.0.19.9100: syn 1633740168
2929.265156 Aesynt370 -- 10.69.1.74.55571 -> 10.69.0.19.9100: syn 3922942513
2932.261121 Aesynt370 -- 10.69.1.74.55571 -> 10.69.0.19.9100: syn 3922942513
2938.266460 Aesynt370 -- 10.69.1.74.55571 -> 10.69.0.19.9100: syn 3922942513
2960.269988 Aesynt370 -- 10.69.1.74.55576 -> 10.69.0.19.9100: syn 3384196890
2963.272789 Aesynt370 -- 10.69.1.74.55576 -> 10.69.0.19.9100: syn 3384196890
2969.275128 Aesynt370 -- 10.69.1.74.55576 -> 10.69.0.19.9100: syn 3384196890
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The policy using TCP 9100 is only using that port. It's simply windows printing. The policy using UDP 47808 is also using telnet and ICMP. Telnet and ICMP are passing through just fine. The log clearly shows it's blocking only TCP 9100 and UDP 47808. When I changed the policy to allow ALL UDP ports the firewall still blocked UDP 47808
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To find out why firewall is dropping it, run the flow level debug:
diag debug enable diag debug flow filter dport 9100 diag debug flow show console enable diag debug flow trace start 200
start the traffic and after capturing the output disable the debug
diag debug disable
Post the output
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,700 -
FortiClient
1,763 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
432 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1713 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.