Create Service Objects

A service object defines protocol + port(s) used in firewall policies. Built-ins cover everything common: HTTP (TCP/80), HTTPS (TCP/443), DNS (UDP/53), SSH (TCP/22), RDP (TCP/3389), etc. Create custom service objects for non-standard ports or your own application protocols.

Steps

Custom Service

1. Policy & Objects → Services → + Create New → Service.
2. Fill in:
   • Name — e.g. App-CustomERP-8080.
   • Color — optional tag.
   • Service Type:
     • Firewall — TCP/UDP/SCTP/ICMP service (most common).
     • Explicit Proxy — for explicit proxy use cases.
   • Show in Service List — Enabled.
   • Protocol Type — TCP/UDP/SCTP, ICMP, ICMP6, IP (raw protocol number).
   • Address (TCP/UDP) — restrict to destination IPs (rarely used here; usually use address objects on the policy).
   • Destination Port — port or range, e.g. 8080, 8080-8090, or 8080:0-65535 for advanced source-port specs.
   • Source Port — usually leave at 1-65535 (any).
3. OK.

Service Group

For policies that allow multiple services:

1. Policy & Objects → Services → + Create New → Service Group.
2. Name, Members (pick the service objects).
3. OK.

CLI Equivalent

config firewall service custom
edit "App-CustomERP-8080"
    set tcp-portrange 8080
    set comment "Internal ERP application"
next
end

config firewall service group
edit "Web-Services"
    set member "HTTP" "HTTPS" "DNS"
next
end

Useful Built-Ins to Know

• ALL — every TCP, UDP, ICMP — permissive.
• ALL_TCP / ALL_UDP / ALL_ICMP — protocol-wide.
• HTTP / HTTPS / DNS / DHCP / NTP — common app protocols.
• SSH / TELNET / FTP / SFTP / SMB / NetBIOS — remote/file services.
• SIP / RTP — voice (FortiGate has SIP ALG; sometimes you want this off — see Common Issues).
• Web Access group — HTTP + HTTPS together.

Verify

In Policy & Objects → Services, the new service appears. Reference it in a firewall policy — search/picker should find it.

Common Issues

• Custom service won't match traffic. Wrong protocol type or wrong port. Confirm with packet capture what's actually flowing.
• Port range vs single port confusion. A range 8080-8090 means 8080 through 8090. A single port is just 8080.
• SIP ALG breaks VoIP. FortiGate's SIP application gateway sometimes mangles SIP traffic. To disable: CLI config system settings; set sip-helper disable; set sip-nat-trace disable; end.
• Service group too narrow. Adding a new service to a group requires editing the group — easy to forget after creating the service.

Related Pages

• Add a Firewall Policy
• Create Address Objects