Managing System Services

The Users & Objects > Services page lists the system services configured in the system. In this page you can add new services, edit services, and delete services.

You use service objects to easily define the different network protocols. This is usually with IP protocol and ports (used by the TCP and UDP IP protocols).

These objects can be used to define your security policy, as well as policy based routing rules. Many service objects are predefined with the system and cannot be deleted. Those predefined "system services" represent the appliance's ability to perform deep inspection on those services for connectivity and security reasons. The system services sometimes have additional configuration options.

To create a new service:

  1. Click New.

  2. In the Service tab, enter information in the fields that apply to the type of service you select. Note that not all fields may show:

    • Name - Enter the service's name.

    • Type - Select the service type from the list:

      • TCP

      • UDP

      • ICMP - Select this option if it is necessary to represent a specific option within the ICMP protocol. Note that this is an advanced option.

      • Other - Select this option to represent any IP protocol other than TCP or UDP.

    • Ports - Enter the port(s) if you selected Type - TCP or UDP. Enter a specific port number or port range.

    • IP Protocol - Enter the IP protocol if you selected Type - Other.

    • ICMP type and ICMP code - Enter the ICMP type and code that you want the service object to represent as listed in RFC 792. This option is only relevant if you selected Type - ICMP.

    • Comments - Enter an optional comment.

    • Disable inspection for this service – Select this checkbox to disable deep inspection of traffic matching this service. This option is only available for built-in services.

  3. In the Advanced tab, enter information in the fields that apply to the type of service you selected. Note that not all fields may show depending on the service type.

    General

    • Session timeout (in seconds) - Time in seconds before the session times out.

    • Use source port - Select this option and enter a port number for the client side service. If specified, only those source port numbers are accepted, dropped, or rejected when inspecting packets of this service. Otherwise, the source port is not inspected.

    • Accept replies (relevant for non-TCP services) - When cleared, server to client packets are treated as a different connection.

    • Match (a highly advanced option to be used only by Check Point Support)

    Connection handling

    • Keep connections open after policy has been installed - Even if they are not allowed under the new policy. If you change this setting, the change does not affect open connections, but only future connections.

    • Synchronize connections on cluster - Enables state-synchronized High Availability or Load Sharing on a cluster. Of the services allowed by the Rule Base, only those with Synchronize connections on cluster are synchronized as they pass through the cluster. By default, all new and existing services are synchronized.

    • Start synchronizing X seconds after the connection was initiated - For TCP services, enable this option to delay telling the Check Point Appliance about a connection so that the connection is only synchronized if it still exists in X seconds after the connection is initiated. Some TCP services (HTTP for example) are characterized by connections with a very short duration. There is no point in synchronizing these connections because every synchronized connection consumes gateway resources, and the connection is likely to have finished by the time a failover occurs.

    Aggressive aging

    This feature can be configured from the Device > Advanced page. When the appliance is under load, older connections are removed from memory faster to make room for new connections.

    • Enable aggressive aging - Select this option to manage connections table capacity and reduce gateway memory consumption to increase durability and stability.

    • Aggressive aging timeout (in seconds) - Time in seconds before the session times out.

  4. Click Apply.

To edit a service:

  1. Select a service from the list.

  2. Click Edit.

  3. Make the necessary changes. Note that not all fields can be edited.

  4. Click Apply.

To delete a service:

  1. Select the service from the list. Note that you can only delete a user defined service.

  2. Click Delete.

  3. Click Yes in the confirmation message.

To filter for a specified service:

  1. In the Type to filter box, enter the service name or part of it.

  2. As you enter text, the list is filtered and shows matching results.

Built-in System Services

Some built-in services represent Check Point's ability to perform deep inspection of the specific protocol. These system services cannot be deleted. When you edit them, the ports which you configure decide when the deep inspection occurs and you can add or change default ports. Some system services have additional configuration which affect the way the deep inspection is performed.

  • HTTP - The IPS settings tab lets you configure how and when HTTP deep inspection is performed. Select the relevant options.

  • HTTPS - The URL Filtering settings tab lets you categorize HTTPS sites by information in certificates.

  • FTP - The Firewall settings tab lets you configure how the firewall automatically detects data connections. You can select one of these options:

    • Any - The Firewall detects and allows FTP data connections in all modes.

    • Active - The Firewall detects and allows FTP data connections in active mode only.

    • Passive - The Firewall detects and allows FTP data connections in passive mode only.

  • PPTP_TCP - The IPS settings tab lets you configure how PPTP deep inspection is performed.

    • Action on malformed connections - Choose the action to perform on connections when parsing has failed.

    • Tracking - Choose the type of log to issue when parsing fails.

    • Enforce strict PPTP parsing - Select this to enforce strict adherence to the protocol.

  • SNMP - The Firewall settings tab lets you configure the firewall to enforce a read-only mode in SNMP.

  • SSH - The Firewall settings tab lets you configure the firewall to block older version of the SSH protocol (1.x).

  • Citrix - The Firewall settings tab lets you configure which protocol to support on the configured ports. The default port 1494 is commonly used by two different protocols - Winframe or Citrix ICA.