Knowledge Search


×
 

[ISG/NS/SSG] Configuring a Custom Service

  [KB4220] Show Article Properties


Summary:

This article shows how to configure a Custom Service.

Symptoms:

Cause:

Solution:

On occasion, a custom service needs to be created to allow certain ports and protocols to pass through the Juniper firewall.

When defining a custom TCP service, the source port in most cases is a random port, between 1024 and 65535. The destination port is specified to match the server's listening port.

A Custom Service requires a source port range, a destination port range, and a transport protocol ( TCP, UDP, etc.) to be specified.

 Note: For this article, a custom service for AppleTalk File Services is configured. To create a custom service for AppleTalk File Services, which listens on TCP port 548, define this service with the following ports:

  • Source Port Low: 1024
  • Source Port High: 65535
  • Destination Port Low: 548
  • Destination Port High: 548


Configure a custom service via Web UI:

Step one: Open the Web UI. For more information on accessing the Web UI, see KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI .

Step two: From the ScreenOS options menu, click Objects, select Services, and then click Custom.

Image of step two

Note: In ScreenOS 6.0.0 and above, the Custom services are defined differently in the Web UI: Click Policy, then Policy Elements, then Services, and then click Custom.

Step three: From the Custom page, click New.

Image of step three

Step four: In the Service Name text box, enter a Service Name.

Image of step four and five

Step five: Under Transport protocol, click to select tcp.

Step six: Under Source Port Low, enter 1024, and then under Source Port High, enter 65535. Under Destination Port Low, enter 548, and then under Destination Port High, enter548.

Image of step six

Step seven: Click OK.

Image of step seven


Configure a custom service via CLI:

  1. Log into the CLI.

  2. Enter the command set service <name> protocol <protocol> src-port <port range> dst-port <port range>.

Example: set service "AppleTalk File Services" protocol tcp src-port 1024-65535 dst-port 548-548

Related Links: