Overview of Service and Service Groups

A service is an application/protocol or a set of applications/protocols. An application or protocol is identified by certain information, such as the protocol type, source port, and destination port. A service group is a set of services and contains services, service groups, or both.

The FW can use services and service groups to identify common applications or protocols and control the traffic use service- or service-group-specific security policies or traffic control policies.

The FW supports the following types of services:

• Predefined service

  A predefined service is the one you can directly select. Generally, predefined services are well-known protocols, such as HTTP, FTP, and Telnet. Predefined services cannot be deleted.

  Predefined services use ports to define well-known protocols. Therefore, when the ports used by the protocols on the actual network are different from the predefined ones, you need to create a user-defined service. For example, the port number of ILS is 1002 in the predefined service, but certain software of old versions uses port 389 to receive ILS packets. In this case, you need to define a service with port number 389 and reference the service in the security policy so that the FW can control the data packet of this application protocol.

  

  Predefined services with dynamic ports (the port identifier is dynamic port) cannot be referenced by service groups or policies.

• User-defined service

  You can specify protocol types (such as TCP, SCTP, UDP, and ICMP) and port numbers to define services.

  • For TCP, SCTP, and UDP packets, protocol types are identified through a series of ports or port ranges.

  • For ICMP packets, ICMP is identified through the ICMP message type and code.

    Table 1 ICMP type names and corresponding type numbers, and message codes

    ICMP Type Name	ICMP Type Number	ICMP Message Code
    Echo	8	0
    Echo-reply	0	0
    Parameter-problem	12	0
    Port-unreachable	3	3
    Protocol-unreachable	3	2
    Reassembly-timeout	11	1
    Source-quench	4	0
    Source-route-failed	3	5
    Timestamp-reply	14	0
    Timestamp-request	13	0
    Ttl-exceeded	11	0
    Fragmentneed-DFset	3	4
    Host-redirect	5	1
    Host-tos-redirect	5	3
    Host-unreachable	3	1
    Information-reply	16	0
    Information-request	15	0
    Net-redirect	5	0
    Net-tos-redirect	5	2
    Net-unreachable	3	0

    Table 2 ICMPv6 type names and corresponding type numbers, and message codes

    ICMPv6 Type Name	ICMPv6 Type Number	ICMPv6 Message Code
    Redirect	137	0
    Echo	128	0
    Echo-reply	129	0
    Err-Header-field	4	0
    Frag-time-exceeded	3	1
    Hop-limit-exceeded	3	0
    Host-admin-prohib	1	1
    Host-unreachable	1	3
    Neighbor-advertisement	136	0
    Neighbor-solicitation	135	0
    Network-unreachable	1	0
    Packet-too-big	2	0
    Port-unreachable	1	4
    Router-advertisement	134	0
    Router-solicitation	133	0
    Unknown-ipv6-opt	4	2
    Unknown-next-hdr	4	1

    For details on the ICMP message type and code, refer to RFC792 Internet Control Message Protocol. The protocol type is identified through the value of the protocol field in the IP packet header. For the relationship between the protocol field in the IP packet header and specific protocol, refer to RFC1340 Assigned Numbers