6.4. Application-level Gateway services

Services define the traffic that can pass through the firewall. A service is not a software component, but a group of parameters that describe what kind of traffic should Application-level Gateway accept or deny, and how to handle the accepted traffic. The service specifies how thoroughly the traffic is analyzed (packet filter or application level), the protocol of the traffic (for example, HTTP, FTP, and so on), if the traffic is TLS-encrypted (and also related security settings like accepted certificates), NAT policies applied to the connections, and many other parameters.

Packet-filter services forward the incoming packets using the netfilter framework provided by Linux kernel. Application-level services create two separate connections on the two sides of Application-level Gateway (client–Application-level Gateway, Application-level Gateway–server) and analyze the traffic on the protocol level. Only application-level services can perform content filtering, authentication, and other advanced features.

The following types of services are available in Application-level Gateway:

  • Service: It inspects the traffic on application level using proxies. For the highest available security, use application-level inspection whenever possible. For details, see Procedure 6.4.1, Creating a new service

  • PFService: It inspects the traffic only on packet level. Use packet-level filtering to transfer very large amount of UDP traffic (for example, streaming audio or video). For details, see Procedure 6.4.2, Creating a new packet filtering Service (PFService).

  • DenyService: It allows to make a service unavailable for any reason (for example, accessing is prohibited in certain zones). For details, see Procedure 6.4.3, Creating a new DenyService.

  • DetectorService: It attempts to determine the protocol used in the connection from the traffic itself, and to start a specified service. Currently it can detect HTTP, SSH, and SSL traffic. For HTTPS connections, it can also select a service based on the certificate of the server. For details, see Procedure 6.4.4, Creating a new DetectorService.

Services are managed from the Services tab of the Application-level Gateway MC component. The left side of the tab displays the configured services, while the right side shows the parameters of the selected service. Use this tab to delete unwanted services, modify existing ones, or create new ones.