Managing Service Groups

The Users & Objects > Service Groups page lists the service groups defined in the system. In this page you can add new service groups, and edit or delete existing service groups.

We recommend you define service groups to configure the security policy. If the security policy is configured with groups and not specified objects, it is much easier to maintain the policy over time. If you decide to add new service objects to the system, you only need to add them to the relevant groups and your policy automatically applies.

There are built in service groups for common services.

Some of these service groups also contain additional configuration for the inspection of the specific protocol.

To create a new service group:

  1. Click New.

    The New Service Group window opens.

  2. Enter a Name for the group and Comments (optional).

  3. Click Select to show the full list of available services and select the relevant checkboxes.

  4. Click New if the existing list does not contain the services you need. For information on creating a new service object, see the Users & Objects > Services page.

  5. Click Apply.

    The New Service Group window opens and shows the services you selected.

  6. You can also click New from the New Service Group window.

  7. To remove a service object from the group list, select it and click Remove.

  8. Click Apply.

    The service group is added to the list of groups.

To edit a service group:

  1. Select a group from the list.

  2. Click Edit.

  3. Make the necessary changes.

  4. Click Apply.

To delete a service group:

  1. Select the group from the list. Note that you can only delete a user defined service group.

  2. Click Delete.

  3. Click Yes in the confirmation message.

To filter for a specified service group:

  1. In the Type to filter box, enter the service group name or part of it.

  2. As you enter text, the list is filtered and shows matching results.

Built-in System Service Groups

Some built-in service groups represent Check Point's ability to perform deep inspection of a specific protocol. Such system service groups cannot be deleted. They contain a list of built in services which you can restore if you edit the content of such groups by clicking Reset.

Some system service groups have additional configuration which affect the way the deep inspection is performed.

DNS - The Firewall settings tab lets you configure NAT support over DNS. Note that this option affects the performance of DNS traffic and is normally not needed unless your organization uses both NAT and an internal DNS server accessible to the Internet. The IPS settings tab lets you configure how and when DNS deep inspection is performed. Select the relevant options.