Services define the traffic that can pass through the firewall. A service is not a software component, but a group of parameters that describe what kind of traffic should Application-level Gateway accept and how to handle the accepted traffic. The service specifies how thoroughly the traffic is analyzed (packet filter or application level), the protocol of the traffic (for example, HTTP, FTP, and so on), if the traffic is TLS-encrypted (and also related security settings like accepted certificates) NAT policies applied to the connections, and many other parameters.
Packet-filter services forward the incoming packets using the kzorp kernel module. Application-level services create two separate connections on the two sides of Application-level Gateway (client–Application-level Gateway, Application-level Gateway–server) different connections and analyze the traffic on the protocol level. Only application-level services can perform content filtering, authentication, and other advanced features.
| Note |
|---|
To allow IPSec traffic to pass PNS, you must add packet-filtering rules manually. See Procedure 16.3.3, Forwarding IPSec traffic on the packet level for details. |
The following types of services are available in Application-level Gateway:
: Inspects the traffic on the application level using proxies. For the highest available security, use application-level inspection whenever possible. For details, see Procedure 6.4.1, Creating a new service
: Inspects the traffic only on the packet level. Use packet-level filtering to transfer very large amount of UDP traffic (for example, streaming audio or video). For details, see Procedure 6.4.2, Creating a new PFService.
: To make a service unavailable for some reason (for example, because accessing it is prohibited in certain zones), use . DenyService is a replacement for the umbrella zones of earlier Application-level Gateway versions. For details, see Procedure 6.4.3, Creating a new DenyService.
: Attempts to determine the protocol used in the connection from the traffic itself, and start a service specified. Currently it can detect HTTP, SSH, and SSL traffic. For HTTPS connections, it can also select a service based on the certificate of the server. For details, see Procedure 6.4.4, Creating a new DetectorService.
Services are managed from the tab of the MC component. The left side of the tab displays the configured services, while the right side shows the parameters of the selected service. Use this tab to delete unwanted services, modify existing ones, or create new ones.
Published on June 04, 2020
© 2007-2019 BalaSys
Send your comments to support@balasys.hu
