Skip to main content
Versa Networks

Configure Service Objects

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

In the Versa Operating SystemTM (VOSTM) software, security policies can reference service objects, which define match criteria based on protocol name and number, and on source and destination port number. The Versa Security Research team provides default predefined services and object definitions, and periodically provides security packages (SPacks) to update the default services and objects.

You can also create custom service objects. One reason to do this might be if a well-known service runs on a non-standard port or if the predefined services are missing a desired port and protocol combination. Another reason might be to limit the number of ports that an application can use. For example, you could limit FTP to use only port 21 instead of using both ports 20 and 21.

The custom service objects that you define for a tenant can be used only by that tenant, and they are not visible or available to any other tenants.

View Predefined Services

The Versa Security Research team defines predefined services and object definitions, which are essentially factory defaults. Versa periodically updates these predefined services and object definitions in security packages (SPacks). You can use the security package to update the predefined objects at any time, without any operational impact to the Director node or to VOS devices.

To provide feedback about the predefined objects, including input about adding or modifying them, send email to support@versa-networks.com.

To view the predefined services on a VOS device:

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a device name in the main panel. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Objects & Connectors > Objects > Predefined > Services to view the list of predefined service objects.

    objects_predefined_services_main_screen.png
  4. Click the Column_filter_icon.png Column Filter icon to restrict the columns to display in the table.
  5. Click the Filter_icon.png Filter icon to filter the display by the protocol name, protocol value, source port, and destination port.

Configure Custom Service Objects

You can create custom service objects, for example, if a well-known service runs on a non-standard port or if the predefined services are missing the desired port and protocol combination.

To create a custom service object:

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a device name in the main panel. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Objects & Connectors > Objects > Custom Objects > Services in the left menu bar.

    Objects_CustomObjects_Services2.png
  4. Click + Add in the main pane to add a custom service. In the Add Service window, enter information for the following fields.

    Add_Service.png
     
    Field Description
    Name Enter a name for the custom service object.
    Description Enter a text description for the custom service object.
    Tags Enter a text string to describe the custom service object.
    Protocol

    Click to define a custom service object by protocol name. Then, in the Protocol field, select the protocol:

    • AH
    • ESP
    • ICMP
    • ICMPv6 (for Releases 22.1.1 and later.)
    • TCP
    • TCP or UDP
    • UDP
    Protocol Value

    Click to define a custom service object by protocol number. Then, in the Protocol Value field, enter the number of the protocol.
    Port Range

    Click to configure a port range for the custom service object. Then, in the Port field, enter the port number range. You can enter a single port number (for example, 20000), multiple comma-separated port numbers (for example, 20000,22000,5600), or a hyphen-separated range of port numbers (for example, 20000-22000).
    Source/Destination Port Click to associate the custom service object with a single source or destination port, or with a combination of source and destination ports. Then, in the Source Port and Destination Port fields, enter the port numbers. You can enter a single port number (for example, 20000), multiple comma-separated port numbers (for example, 20000,22000,5600), or a hyphen-separated range of port numbers (for example, 20000-22000).
    ICMP

    (For Releases 22.1.1 and later.) If you select the ICMP or ICMPv6 protocol, click to define a custom service object by ICMP values:

    • ICMP Code—Enter the ICMP code. You can enter an individual value, a comma-separated list of values, or a range of values.
    • ICMP Type—Enter the ICMP type. You can enter an individual value, a comma-separated list of values, or a value range of values (for example, 9-12).
  5. Click OK.

Apply a Service Object to an Access Policy

You can apply a service object to a security access policy to define a security policy. To define and configure a security access policy, see Configure Security Access Policy Rules.

To apply a service object to an access policy:

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a device name in the main panel. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Services > Next-Gen Firewall > Security > Policies in the left menu bar, and then select the Rules tab.

    conf_serv_ngfw_security_policies_main_screen.png
  4. Click a security access policy rule name in the main pane. The Edit Rule popup window displays.
  5. Select the Headers/Schedule tab.

    Edit_rule_select_from_drop-down.png
  6. In the Service List table, select the Plus_add_icon.png Add icon, and then select a service object.
  7. Click OK.

Configuration Example

The following example shows how to deny HTTP traffic based on a service object and associated access policy rule and how to monitor the effects of the rule.

To configure the service object:

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a device name in the main panel. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Objects & Connectors > Objects > Custom Objects > Services in the left menu bar.
  4. Select + Add.
  5. In the Add Service popup window, add a service object.
    1. Enter a name for the service object. In the example here, the name is Custom_HTTP_Service.
    2. Click the Protocol field, and select TCP as the protocol.
    3. Click the Source/Destination field, and enter a value for Destination Port. In the example, the port is 8080.
    4. Click OK.

      Example_Add_Service_popup.png
  6. Click OK.
  7. Select Services > Next-Gen Firewall > Security > Policies in the left menu bar, and select the Rules tab.
  8. Click + Add. The Add Rule popup window displays.
  9. Create an access policy rule that includes the scheduled object.
    1. Select the General tab, and then enter the name of the access policy rule, here, Block_HTTP_Service_to_Port_8080.

      Example_NGFW_Add_Rule_General_Tab.png
    2. Select the Headers/Schedule tab, and then select the service you created in Step 5, here, Custom_HTTP_Service.

      Example_NGFW_Add_Rule_HeadersSchedule_Tab.png
    3. Select the Enforce tab, and then select Deny under Action.

      Example_NGFW_Add_Rule_Enforce_Tab.png
    4. Click OK to creates a rule that denies HTTP traffic to port 8080.

To see how the service object associated with a policy affects the traffic flow, you monitor the policy:

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a device name in the main panel. The view changes to Appliance view.
  2. Select the Monitor tab in the top menu bar.
  3. Select a provider organization in the Organization field
  4. Select the Services tab in the horizontal menu bar.
  5. Select NGFW > Policies. The NGFW policy statistics display, and the Rule Name column displays statistics about the access policy rule that you created.

    Monitor_NGFW_Policies.png

Supported Software Information

Releases 20.2 and later support all content described in this article, except:

  • Release 22.1.1 adds support for ICMPv6. You can specify the ICMP type and code for ICMPv4 and ICMPv6 custom service objects.