6.4.1. Procedure – Creating a new service

To create a new service that inspects a traffic on the application level, complete the following steps.

  1. Navigate to the Services tab of the Application-level Gateway MC component and click New.

    Creating a new service

    Figure 6.23. Creating a new service

  2. Enter a name for the service into the opening dialog. Use clear, informative, and consistent service names. It is recommended to include the following information in the service name:

    • source zones, indicating which clients may use the service (for example, intranet)

    • the protocol permitted in the traffic (for example, HTTP)

    • destination zones, indicating which servers may be accessed using the service (for example, Internet)

    Tip

    Name the service that allows internal users to browse the Web intra_HTTP_internet. Use dots to indicate child zones, for example, intra.marketing_HTTP_inter.

  3. Click in the Class field and select Service.

  4. In the Proxy class field, select the application-level proxy that will inspect the traffic. Only traffic corresponding to the selected protocol and the settings of the proxy class can pass the firewall.

    Note

    Application-level Gateway has many proxy classes available by default. These can be used as is, or can be customized if needed.

    • For details on customizing proxy classes, see Section 6.6, Proxy classes.

    • The settings and parameters of the proxy classes are detailed in the Chapter 4, Proxies in Proxedo Network Security Suite 2 Reference Guide.

    • To permit any type of Layer 7 traffic, select PlugProxy. The PlugProxy is a protocol-independent proxy.

  5. Optional Step: If the inspected traffic will be SSL- or TLS-encrypted, select the Encryption Policy to use in the Encryption Policy field. For details, see Section 6.7.3, Encryption policies.

  6. Optional Step: In the Routing section, select the method used to determine the IP address of the destination server. For details, see Section 6.4.5, Routing — selecting routers and chainers.

  7. Optional Step: In the NAT section, the Network Address Translation policy used to NAT the address of the client (SNAT), the server (DNAT), or both. For details, see Section 6.7.10, NAT policies.

    Note

    To remove a policy from the service, select the empty line from the combobox.

    Note

    NAT policies cannot be used in packet filtering services (PFServices) for IPv6 traffic.

  8. Optional Step: In the Chainer field, select the method used to connect to the destination server. See Section 6.4.5, Routing — selecting routers and chainers for details.

  9. Optional Step: To specify exactly which zones can be accessed using the service, click Routing > Limit > ... and select the permitted zones. If this option is set, the target server must be located in the selected zones, otherwise Application-level Gateway will reject the connection.

    Note

    The zone set in the Limit option is the actual location of the target server. This is independent from the destination address of the client-side connection.

    This option replaces the functionality of the inband_services parameter of the zone.

  10. Optional Step: In the Authentication section, select the authentication and authorization policies used to verify the identity of the client. See Chapter 15, Connection authentication and authorization for details.

  11. Optional Step: In the Advanced > Resolver policy field, select how Application-level Gateway should resolve the addresses of the client requests. See Section 6.7.11, Resolver policies for details.

  12. Optional Step: To limit how many clients can access the service at the same time, set the Advanced > Limit concurrency option. By default, Application-level Gateway does not limit the number of concurrent connections for a service (0).

  13. Optional Step: To send keep-alive messages to the server, to the client, or to both, to keep the connection open even if there is no traffic, set the Advanced > Keepalive option to V_KEEPALIVE_SERVER, V_KEEPALIVE_CLIENT, or V_KEEPALIVE_BOTH.

  14. Commit your changes.