Other Service - Advanced
What can I do here?
Use this window to set advanced properties for the user defined service.
|
Getting Here - Object Explorer > New > Service > Other Service > Advanced
|
User defined Services
What background information do I need to know?
To define a user defined service, you must enter INSPECT code in the Match field, so you must have at least a basic familiarity with INSPECT.
Suppose the IP Protocol field has the value of 17 (UDP Protocol) and the Match field has the following value:
uh_dport > 33000, ip_ttl < 30
To understand the meaning of the Match field, consider the relevant definitions in $FWDIR/lib/base.def:
Name
|
Definition
|
Meaning
|
uh_dport
|
[ 22 : 2, b]
|
the UDP destination port
|
p_ttl
|
[8 : 1]
|
IP Time To Live
|
The comma operand in INSPECT means "and", so the meaning of Match is:
- AND the destination port greater than 33000
- AND packet's time to live is less than 30
Suppose you wish to pass IP protocol number 53, similar to ospf, egp, and bgp, then define a user-defined service whose IP Protocol field is 53.
Other Service Options
Tell me about the fields...
- Match - contains an INSPECT expression that defines the matching criteria. The connection is examined against the expression during the first packet.
Example: tcp, dport = 21, direction = 0
matches incoming FTP control connections.
- Action - contains an INSPECT expression that defines the action to take if a rule containing this service is matched.
Example: set r_mhandler &open_ssl_handler
sets a handler on the connection.
For more on the Match and Action fields, see: sk109195
- Show Install Policy verification warning - removes errors when installing a policy on an R80 gateway. This option only shows after upgrading to R80. Leaving this option selected means that Match or Action expressions that were not converted before the upgrade to R80 will continue to generate verification warnings during a policy install. The option is selected by default. Once you clear it, the option is no longer available.
- Protocol Type - specifies which protocol type is associated with the service, and by implication, the security server (if any) that enforces Content Security and Authentication for the service. Selecting a Protocol Type invokes the specific protocol handlers for each protocol type, thus enabling higher level of security by parsing the protocol, and higher level of connectivity by tracking dynamic actions (such as opening of ports).
- Accept Replies - specifies if Other Service replies are to be accepted. To specify that no Other Service replies will be accepted, that is, to define a "one-way" Other service, deselect Accept Replies.
Accept Replies - corresponds to the following field in the Stateful Inspection page of the Global Properties window: Accept stateful Other IP Protocol replies for unknown services. The latter applies to Other services that are not defined in the Check Point Services objects tree.
- Match for 'Any' - indicates whether this service is used when 'Any' is set as the rule's service and there are several service objects with the same source port and protocol.
When there is a rule whose Service cell contains Any, and a connections protocol and source port match more than one service object, then the service object with the selected 'Match for Any' option will be used and its properties will be taken for handling this connection - Virtual Session Timeout - (as well as the Other service session itself) are defined by the Security Gateway, and not by the protocol itself. It is therefore a "virtual" session. The virtual session timeout specifies the number of seconds until the session times out.
Select the Default timeout, which is defined in Global Properties, or select Specific to override the default timeout.
- Enable Aggressive Aging - enables you to manage the connections table capacity and memory consumption of the firewall to increase durability and stability.
- Synchronize connections on cluster - means that in a state-synchronized High Availability or Load Sharing gateway cluster, of the services allowed by the Rule Base, only those with Synchronize connections on cluster will be synchronized. By default, all new and existing services are synchronized.