Firewall > Services
451
SonicOS Enhanced 4.0 Administrator Guide
Click the Enable Logging checkbox to disable or enable the logging of the service activities.
Adding Custom IP Type Services
Using only the predefined IP types, if the security appliance encounters traffic of any other IP
Protocol type it drops it as unrecognized. However, there exists a large and expanding list of
other registered IP types, as governed by IANA (Internet Assigned Numbers Authority): http://
www.iana.org/assignments/protocol-numbers, so while the rigid practice of dropping less-
common (unrecognized) IP Type traffic is secure, it was functionally restrictive.
SonicOS Enhanced 3.5 and newer, with its support for Custom IP Type Service Objects, allows
an administrator to construct Service Objects representing any IP type, allowing Firewall
Access Rules to then be written to recognize and control IPv4 traffic of any type.
Note The generic service Any will not handle Custom IP Type Service Objects. In other words,
simply defining a Custom IP Type Service Object for IP Type 126 will not allow IP Type 126
traffic to pass through the default LAN > WAN Allow rule:
It will be necessary to create an Access Rules specifically containing the Custom IP Type
Service Object to provide for its recognition and handling, as illustrated below.
Example
Assume an administrator needed to allow RSVP (Resource Reservation Protocol - IP Type 46)
and SRP (Spectralink™ Radio Protocol – IP type 119) from all clients on the WLAN Zone
(WLAN Subnets) to a server on the LAN Zone (for example, 10.50.165.26), the administrator
would be able to define Custom IP Type Service Objects to handle these two services:
Step 1 From the Firewall > Service Objects page, Services section, select Add.
Step 2 Name the Service Objects accordingly.
Step 3 Select Custom IP Type from the Protocol drop-down list.
Step 4 Enter the protocol number for the Custom IP Type. Port ranges are not definable for or
applicable to Custom IP types.