Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating Services and Service Groups

    A service in Security Director refers to an application on a device, such as Domain Name Service (DNS). Services are based on protocols and ports used by an application, and when added to a policy, a configured service can be applied across all devices managed by Security Director. Once you create a service, you can combine it with other services to form a service group. Service groups are useful when you want to apply the same policy to multiple services.

    The protocols available to create a service include: TCP, UDP, SUN-RPC, MS-RPC, ICMP, ICMPv6, and Other.

    During a device update, you can delete all unused services and service groups by selecting an option available under Update Device in Junos Space. By default, this option is enabled when you perform a fresh install of Security Director or upgrade from the previous release.

    Note: There are Juniper Networks defined service objects for commonly used services, but you cannot modify or delete them. These services appear when you install a fresh version of Security Director.

    Before You Begin

    • Read the topic.

    • Gather all the information for the protocols you are using to create the service, including source and destination ports and protocol type such as TCP or UDP.

    • Check to see if cloning an existing service might be more efficient than creating a new one.

    • Review the services main page for an understanding of your current data set. See for field descriptions.


    Configuring Services and Service Groups


    To configure a service:

    1. Select Configure > Shared Objects > Services.
    2. Click Create.
    3. Complete the configuration according to the guidelines in Tables 1 through 3.
    4. Click OK.

    A new service or service group with your configurations is created. You can use this object in policies. You can also assign it to a domain; see Assigning Policies and Profiles to Domains.

    Table 1: Service Settings

    Setting

    Guideline

    General Information

    Object Type

    Select Service or Service Group. If you select Service Group, then the screen changes so you can select the services you want to include in your service group.

    Name

    Required. Enter a unique name for the service. It must begin with an alphanumeric character and cannot exceed 63 characters. Dashes and underscores are allowed.

    Description

    Enter a description for your service. You should make this description as useful as possible for all administrators.

    Create Protocol

    Name

    Enter a unique name for the protocol. It must begin with an alphanumeric character and cannot exceed 63 characters. Dashes and underscores are allowed.

    Description

    Enter a description for your protocol. It cannot exceed 1,024 characters.

    Type

    Select a type of protocol and fill in the corresponding fields. Available types are: TCP, UDP, ICMP, SUN-RPC, MS-RPC, ICMPv6, and Other. If you select TCP, continue with this table. See Table 2 for the other protocol types.

    Destination Port

    Enter a destination port number for TCP. This is a value or value range from 0 through 65,535.

    Advanced Settings

    Enable Inactivity Timeout

    Selected by default. Enter a timeout value for this protocol in seconds or minutes. The maximum values are 129,600 seconds and 2,160 minutes.

    ALG

    Select an ALG (Application Layer Gateway) service option if applicable.

    Source Ports and Port Ranges

    Enter the source port or port range for the protocol.

    Table 2 includes the settings and guidelines for the various protocol types.


    Advanced Settings


    Table 2: Create Protocol Type Settings

    Setting

    Guideline

    UDP

    Destination Port

    Enter a destination port number for UDP. This is a value or value range from 0 through 65,535.

    Advanced Settings

    Enable Inactivity Timeout

    Selected by default. Enter a timeout value for this protocol in seconds or minutes. The maximum values are 129,600 seconds and 2,160 minutes.

    ALG

    Select an ALG (Application Layer Gateway) service option if applicable.

    Source Ports and Port Ranges

    Enter a source port or port range for UDP. This is a value or value range from 0 through 65,535.

    ICMP

    Enable Inactivity Timeout

    Selected by default. Enter a timeout value for this protocol in seconds or minutes. The maximum values are 129,600 seconds and 2,160 minutes.

    ICMP Type

    Enter a value from 0 through 225 for the ICMP message type. For example, enter 1 for host unreachable. You can find these values in RFC 792.

    ICMP Code

    Enter a value from 0 through 225 for the ICMP code. For example, enter 0 for echo reply. You can find these values in RFC 792.

    SUN-RPC

    Destination Port (available if Enable ALG is selected)

    Enter a destination port for SUN-RPC. This is a value or value range from 0 through 65,535.

    Enable Inactivity Timeout

    Selected by default. Enter a timeout value for this protocol in seconds or minutes. The maximum values are 129,600 seconds and 2,160 minutes.

    Enable ALG

    Not selected by default. If you enable ALG for this protocol, you must enter a destination port in the field that becomes available.

    RPC Program Number

    Enter a value or value range for the RPC (remote procedure call) service. For example, enter 100,017 for remote execution. You can find these values in RFC 5531.

    Protocol Type

    Select TCP or UDP for the protocol type.

    MS-RPC

    Destination Port (available if Enable ALG is selected)

    Enter a destination port for MS-RPC. This is a value or value range from 0 through 65,535.

    Enable Inactivity Timeout

    Selected by default. Enter a timeout value for this protocol in seconds or minutes. The maximum values are 129,600 seconds and 2,160 minutes.

    Enable ALG

    Not selected by default. If you enable ALG for this protocol, you must enter a destination port number in the field that becomes available.

    UUID

    Enter the corresponding UUID value for the MS-RPC service. For predefined values, refer to MS-RPC UUID Mappings.

    Protocol Type

    Select TCP or UDP for the protocol type.

    ICMPv6

    Enable Inactivity Timeout

    Selected by default. Enter a timeout value for this protocol in seconds or minutes. The maximum values are 129,600 seconds and 2,160 minutes.

    ICMP Type

    Enter a value from 0 through 225 for the ICMPv6 message type. You can find these values in RFC 4443.

    ICMP Code

    Enter a value from 0 through 225 for the ICMPv6 code. You can find these values in RFC 4443.

    Destination Port

    Use other to create protocols that do not match the provided type categories. Enter a destination port for the other protocol. This is a value or value range from 0 through 65,535.

    Advanced Settings

    Enable Inactivity Timeout

    Selected by default. Enter a timeout value for this protocol in seconds or minutes. The maximum values are 129,600 seconds and 2,160 minutes.

    ALG

    Select an ALG (Application Layer Gateway) service option if applicable.

    Source Ports and Port Ranges

    Enter the source port or port range for the other protocol.

    Protocol Number

    Enter a protocol number for the protocol type. RFC 791 contains a list of protocols and their corresponding numbers. This number identifies the service in the next higher level in the protocol stack to which data is passed.

    Table 3 includes the settings and guidelines for service groups.

    Table 3: Service Group Settings

    Setting

    Guideline

    General Information

    Object Type

    Select Service Group. When you select Service Group, then the screen changes so you can select the services you want to include in your service group.

    Name

    Enter a unique name for the service group. It must begin with an alphanumeric character and cannot exceed 63 characters. Dashes and underscores are allowed.

    Description

    Enter a description for your service group. You should make this description as useful as possible for all administrators.

    Services

    Select the check box beside each service you want to include in the service group. Click the arrow to move the selected service or services from the Available column to the Selected column. Note that you can use the fields at the top of each column to search for listed services.

    Modified: 2016-06-14