• SonicOSX 7
• Introduction to Match Objects for SonicOSX
• Zones
• Addresses
• Services
• Countries
• Applications
• Web Categories
• Websites
• URI Lists
• Match Patterns
• Custom Match
• Schedules
• Dynamic Group
• Email Addresses
• SonicWall Support
  • About This Document

Services

Service Objects and Service Groups are configured underObject > Services page.

SonicOS supports an expanded IP protocol support to allow users to create service objects, service groups, and access rules based on these custom service protocols. For a list of pre-defined protocols, see Predefined IP Protocols for Custom Service Objects. To add specific IP protocols required for your network, refer to Adding Custom IP Type Services.

Services are used by the SonicWall security appliance to configure access rules for allowing or denying traffic to the network. The SonicWall security appliance includes predefined default service objects and default service groups. You can edit, but not delete, default service objects and default service groups.

You can create custom service objects and custom service groups to meet your specific business requirements.

The View drop-down list at the top of the page allows you to control the display of default and custom service objects and groups. Select All type to display both custom and default entries, select Custom to display only custom, or select Default to display only default service entries.

About Default Service Objects and Groups

Default service objects and groups are predefined in SonicOS and cannot be deleted, but can be edited. Only ports can be edited for default service objects. For default service groups, you can change the included or excluded services.

The Service Objects and Service Groups table display the following attributes of the service objects and service groups.

Name	The name of the service.
Protocol	The protocol of the service.
Port Start	The starting port number for the service.
Port End	The ending port number for the service.
Class	Indicates whether the entry is a Default (system) or Custom (user) service.
Comment	Move your mouse over the comment icon to display information about the service object or group. A popup displays the following: Referenced By – with a list of the types of rules or policies configured on the firewall which use the service object or group, along with the number of references to it for each type. The rule or policy type is displayed as a link when available, such as for Access Rules, NAT Policies, etc. You can click the link to go to the page to see the list of specific rules or policies using the service object or group. Groups (Member of) – with a list of service groups or other types of groups that include the service object or group.
Configure	Displays the Edit, View and Delete icons for the service (default services cannot be deleted and their Delete icon is dimmed). The Edit icon displays the Edit Service dialog. Only ports can be edited for default service objects. For default service groups, you can change the included or excluded services.

Default service groups are groups of default service objects and/or other default service groups. Clicking on the triangle to the left of the group name displays all the individual default service objects and groups included in the group. For example, the AD Directory Services default group contains several service objects and service groups (refer to AD Directory Services Group Details). By grouping these multiple entries together, they can be referenced as a single service in rules and policies throughout SonicOS.

AD Directory Services Group Details

Predefined IP Protocols for Custom Service Objects

ICMP (1)	Internet Control Message Protocol. A TCP/IP protocol used to send error and control messages.
IGMP (2)	Internet Group Management Protocol. The protocol that governs the management of multicast groups in a TCP/IP network.
TCP (6)	Transmission Control Protocol. The TCP part of TCP/IP. TCP is a transport protocol in TCP/IP. TCP ensures that a message is sent accurately and in its entirety.
UDP (17)	User Datagram Protocol. A protocol within the TCP/IP protocol suite that is used in place of TCP when a reliable delivery is not required.
6over4 (41)	Transmission of IPv6 over IPv4 domains without explicit tunnels. The 6over4 traffic is transmitted inside IPv4 packets whose IP headers have the IP protocol number set to 41.
GRE (47)	Generic Routing Encapsulation. A tunneling protocol used to encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to firewalls or routing devices over an IP Internetwork.
ESP (50)	Encapsulated Security Payload. A method of encapsulating an IP datagram inside of another datagram employed as a flexible method of data transportation by IPsec.
AH (51)	Authentication Header. A security protocol that provides data authentication and optional anti-relay services. AH is embedded in the data to be protected (a full IP datagram).
ICMPv6 (58)	Neighbor Discovery for Internet Message Control Protocol version 6. Neighbor Discovery defines five different ICMP packet types: A pair of Router Solicitation and Router Advertisement messages, a pair of Neighbor Solicitation and Neighbor Advertisements messages, and a Redirect message.
EIGRP (88)	Enhanced Interior Gateway Routing Protocol. Advanced version of IGRP. Provides superior convergence properties and operating efficiency, and combines the advantages of link state protocols with those of distance vector protocols.
OSPF (89)	Open Shortest Path First. A routing protocol that determines the best path for routing IP traffic over a TCP/IP network based on distance between nodes and several quality parameters. OSPF is an interior gateway protocol (IGP), which is designed to work within an autonomous system. It is also a link state protocol that provides less router to router update traffic than the RIP protocol (distance vector protocol) that it was designed to replace.
PIM (103)	Protocol Independent Multicast). One of two PIM operational modes: PIM sparse mode (PIM-SM) tries to constrain data distribution so that a minimal number of routers in the network receive it. Packets are sent only if they are explicitly requested at the RP (rendezvous point). In sparse mode, receivers are widely distributed, and the assumption is that downstream networks will not necessarily use the datagrams that are sent to them. The cost of using sparse mode is its reliance on the periodic refreshing of explicit join messages and its need for RPs. PM dense mode (PIM-DM) assumes all downstream routers and hosts want to receive a multicast datagram from a sender and floods multicast traffic throughout the network. Routers without downstream neighbors prune unwanted traffic. To minimize repeated flooding of datagrams and subsequent pruning, PIM DM uses a state refresh message sent by routers directly connected to the source. The firewall can be configured only as a multicast proxy so multicast traffic can be passed through the up-/downstream interface. The firewall cannot act as a PIM router.
L2TP (115)	Layer 2 Tunneling Protocol) A protocol that allows a PPP session to run over the Internet. L2TP does not include encryption, but defaults to using IPsec to provide virtual private network (VPN) connections from remote users to the corporate LAN.

Adding Service Objects using Predefined Protocols

You can add a custom service object for any of the predefined protocols, or service types:

Predefined service types

Protocol	IP Number
ICMP	1
IGMP	2
TCP	6
UDP	17
6over4	41
GRE	47
IPsec ESP	50
IPsec AH	51
ICMPv6	58
EIGRP	88
OSPF	89
PIM	103
L2TP	115

For definitions of these protocols, see Predefined IP Protocols for Custom Service Objects.

All custom service objects you create are listed in the Service Objects table. You can group custom services by creating a custom service group for easy policy enforcement. If a protocol is not listed as a default service object, you can add a custom service object for it.

To add a custom service object using predefined protocols

1. Navigate to Object > Match Objects > Services > Service Objects page.

2. Click the Add button. The Service Objects dialog displays.

   

3. Enter a descriptive name for the service object in the Name field.

4. Select the type of IP protocol from the Protocol drop-down menu. The fields in the dialog may change.

5. What you enter next depends on your IP protocol selection:

   • For TCP and UDP protocols, specify the Port Range.

   • For ICMP, IGMP, OSPF, and PIM protocols, select a Sub Type from the Sub Type drop-down menu.

   PIM subtypes apply to both PIM-SM and PIM-DM except the following are for PIM SM only:

   • Type1: Register
   • Type2: Register Stop
   • Type4: Bootstrap
   • Type8: Candidate RP Advertisement

   • For the remaining protocols, you do not need to specify anything further.

6. Click Save.

Adding Custom IP Type Services

Using only the predefined IP protocol types, if the security appliance encounters traffic of any other IP protocol type it drops it as unrecognized. However, there exists a large and expanding list of other registered IP types, as governed by IANA (Internet Assigned Numbers Authority): http://www.iana.org/assignments/protocol-numbers, so while the rigid practice of dropping less-common (unrecognized) IP Type traffic is secure, it is functionally restrictive.

SonicOS allows you to construct service objects representing any IP type, allowing access rules to then be written to recognize and control IP traffic of any type.

The generic service Any does not handle custom IP type service objects. In other words, simply defining a custom IP type service object for “IP Type 126” does not allow IP Type 126 traffic to pass through the default LAN > WAN Allow rule.

You need to create an access rule specifically containing the custom IP type service object to provide for its recognition and handling, as illustrated in Configuration Example.

Configuration Example

Assume an administrator needs to allow RSVP (Resource Reservation Protocol - IP Type 46) and SRP (Spectralink™ Radio Protocol – IP type 119) from all clients on the WLAN zone (WLAN Subnets) to a server on the LAN zone (for example, 10.50.165.26). You can define custom IP type service objects to handle these two services.

To define a custom IP type service and related configuration

1. Navigate to Object > Match Objects > Services > Service Objects page.

2. Click the Add button. The Service Objects dialog displays.

   

3. Enter a descriptive name for the service object in the Name field.

4. Select Custom IP type from the Protocol drop-down menu.

   

5. In the field to the right of the Protocol drop-down list, type in the protocol number for the Custom IP Type.

   The Port Range and Sub Type fields are not definable or applicable to a Custom IP Type.

   Attempts to define a custom protocol type service object for a predefined IP type is not permitted and results in an error message.

6. Click Save.
7. Repeat Step 3 through Step 6 for each custom service to be defined.
8. Navigate to Object > Match Objects > Services > Service Groups page.

9. Click the Add button. TheService Groups dialog displays.

   

10. Enter a descriptive name for the service group in the Name field, such as myServices.

11. Select the custom service objects you just created from the list on the left, and then click the Right Arrow button to move them into the list on the right.

    Press Ctrl or Shift to select multiple service objects, and then click the Right Arrow button to move them all at one time.

12. Click Save.
13. Navigate to Object > Match Objects > Services > Service Objects page.
14. Click the Add button. The Service Objects dialog displays.
15. Create an address object for the host that the WLAN Subnets can access using myServices.

16. Select the custom service objects you just created from the list on the left, and then click the Right Arrow button to move them into the list on the right.

    Press Ctrl or Shift to select multiple service objects, and then click the Right Arrow button to move them all at one time.

17. Click Save.
18. Navigate to Policy > Rules and Policies > Access Rules page to create a WLAN > LAN rule.

19. Define an access rule allowing myServices from WLAN Subnets to the 10.50.165.26 address object.

    It may be necessary to create an access rule for bidirectional traffic; for example, an additional access rule from the LAN > WLAN allowing myServices from 10.50.165.26 to WLAN Subnets.

20. Click Save.

    IP protocol 46 and 119 traffic will now be recognized and allowed to pass from WLAN Subnets to the host at 10.50.165.26.

Editing Custom Service Objects

Click the Edit icon under Configure to edit the service object which includes the same configuration settings as the Add Service dialog. Refer to Adding Service Objects using Predefined Protocols or Adding Custom IP Type Services.

Deleting Custom Service Objects

In the row for the service object you want to delete, click the Delete icon under Configure to delete an individual custom service object. To delete one or more custom service objects, select the checkboxes for the desired entries and click Delete at the top of the page.

Adding Custom Service Groups

You can add custom services and then create groups of services, including default services, to apply the same policies to them. For instance, you can allow SMTP and POP3 traffic only during certain hours or days of the week by adding the two services as a custom service group.

To create a custom service group

1. Navigate to Object > Match Objects > Service Groups page.

2. Click the Add button. TheService Groups dialog displays.

   

3. Enter a name for the custom group in the Name field.

4. Select the custom service objects you just created from the list on the left, and then click the Right Arrow button to move them into the list on the right.

   Press Ctrl or Shift to select multiple service objects, and then click the Right Arrow button to move them all at one time.

5. Click Save.

Clicking the triangle to the left of a Custom service group name, expands the display to show all the individual Custom Services, Default Services, and Custom Services Groups included in the Custom service group entry.

Editing Custom Service Groups

Click the Edit icon in the Configure column to edit the custom service group, which includes the same configuration settings as the Add Service Group dialog.

You also can edit individual services of a custom service group by expanding the group, and clicking the Edit icon for the service.

Deleting Custom Service Groups

In the row for the service group you want to delete, click the Delete icon under Configure to delete an individual custom service group. To delete one or more custom service groups, select the checkboxes for the desired entries, click Delete at the top of the page.