To edit a policy service:
- Select desired policy tab in the policy toolbar.
- Select the policy in the table, right-click the Service column, and select Edit in the menu. The Edit Service dialog box is displayed.
Edit service
- Configure the following settings:
| Name | Edit the service name as required. |
| Comments | Type an optional comment. |
| Color | Select the icon to select an custom icon to display next to the service name. |
| Protocol | Select the protocol from the drop-down list. Select one of the following: TCP/UDP/SCTP, ICMP, ICMP6, or IP. |
| IP/FQDN | Type the IP address or FQDN.
This menu item is available when Protocol is set to TCP/UDP/SCTP. You can then define the protocol, source port and destination port in the table. |
| Type | Type the service type in the text field.
This menu item is available when Protocol is set to ICMP orICMP6. |
| Code | Type the code in the text field.
This menu item is available when Protocol is set to ICMP orICMP6. |
| Protocol Number | Type the protocol number in the text field.
This menu item is available when Protocol is set to IP. |
| Advanced Options | For more information on advanced option, see the FortiOS CLI Reference. |
| check-reset-range | Configure ICMP error message verification.
l disable: The FortiGate unit does not validate ICMP error messages. l strict: If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiOS can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. If is enabled the FortiGate unit logs that the ICMP packet was dropped. Strict checking also affects how the antireplay option checks packets. l default: Use the global setting defined in system global. This field is available when protocol is TCP/UDP/SCTP. This field is not available if explicit-proxy is enabled. |
| session-ttl | Type the default session timeout in seconds.
The valid range is from 300 – 604 800 seconds. Type 0 to use either the perpolicy session-ttl or per-VDOM session-ttl, as applicable. This is available when protocol is TCP/UDP/SCTP. |
| tcp-halfclose-timer | Type how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded.The valid range is from 1 to 86400 seconds. Type 0 to use the global setting defined in system global.
This is available when protocol is TCP/UDP/SCTP. |
| tcp-halfopen-timer | Type how many seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded.
The valid range is from 1 to 86400 seconds. Type 0 to use the global setting defined in system global. This is available when protocol is TCP/UDP/SCTP. |
| tcp-timewait-timer | Set the length of the TCP TIME-WAIT state in seconds.As described in RFC 793, the “…TIME-WAIT state represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request.”
Reducing the length of the TIME-WAIT state means the FortiGate unit can close terminated sessions faster, which means that more new sessions can be opened before the session limit is reached. The valid range is 0 to 300 seconds. A value of 0 sets the TCP TIME-WAIT to 0 seconds. Type 0 to use the global setting defined in system global. This is available when protocol is TCP/UDP/SCTP. |
| udp-idle-timer | Type the number of seconds before an idle UDP connection times out.The valid range is from 1 to 86400 seconds.
Type 0 to use the global setting defined in system global. This is available when protocol is TCP/UDP/SCTP. |
- Select OK to save the service. The custom service will be added to Objects > Firewall Objects > Service.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Question about ADOMs. In previous versions of FortiOS 4.3 maybe earlier. When you had multiple devices under an ADOM the policies and objects were clearly separated per device being managed. With the newer FortiOS it seems as though there is overlapping and my policies and objects seem to be cross contaminated between devices. What is your perspective on this and/or work around? Thank you in advance – Richard
I always keep my devices separated by Firmware version. ADOM 4.3 ADOM 5.2 ADOM 5.4 etc to keep things nice and neat.
I have an issue for deleting the V4.2 ADOMs from FMG V5.2 getting the below error.
Some ADOM(s) were not deleted successfully because they are not empty
But those ADOMs are not used anywhere. How to find out where it is used?
No admin accounts having access to the ADOM, No policy package for the ADOM.
Usually, it experiences this issue because something somewhere is still referencing it. Whether that item be a policy package as you mentioned before or a group etc.
Is there any possibilities to find out the references for that ADOM on the FMG.
Hi Mike,
We use fortimanager v5.4.1-build1082 160629 (GA) FMG-VM64 but we cant drag and drop within the rule base. (drag en drop from the object side plain does work) I have seen a instruction video were they lock the adom but also that future is non exsistent in our GUI.
You have any idea what this could be ? I did not see any issues on this subject on the fortinet site. We have upgraded from a older version FM.
kind regards and thanks for this great support site, i look here first!
Did you follow the supported upgrade path when you moved your FortiManager up through the code?
Not sure ( I was not involved and there is no change history) but i did found this in the “alert message console”
Upgrade image from v5.2.7-build0757-160408(GA) to v5.4.1-build1082-160629
Hello,
HELP !! we have multiple firewalls we would like to upload on our Fortimanager in the same ADOM.
The problem is that some objects have the same names but different IPs adresses. i read that the only solution is mapping the objects. if we do so we will have to it manually on every object (more than ~200) which is not an option for me. Can you please help me with this problem ?