Defining services for the USG2000&5000 series

6

The USG2000&5000 series supports defining services using the web UI or CLI. Service can be used as a security policy matching condition. The system has a predefined service set, and you can define services by specifying such information as the port.
Defining services using the web UI:
Choose Firewall > Service > User-defined Service and click Create in User-defined Service List. Enter or select service information, including the name, description, and protocol, and click Apply.

Defining services using the CLI:
1. Run the ip service-set service-set-name type object [ vpn-instance vpn-instance-name ] command in the system view to create a service set and access its view.

2. Add members to this service set.
a. Run the service [ id ] protocol { udp | tcp | sctp } [ source-port { src-port-number-1 [ to src-port-number-2 ] } &<1-64> | destination-port { dst-port-number-1 [ to dst-port-number-2 ] } &<1-64> ] * [ description description ] command to specify protocol types, such as TCP, UDP, or SCTP, by port number ranges.
b. Run the service [ id ] protocol icmp [ icmp-type { icmp-name | icmp-type-number icmp-code-number } ] [ description description ] command to specify the ICMP message type or code.
c. Run the service [ id ] protocol protocol-number [ description description ] command to specify the protocol field value in IP packet headers to specify the protocol type.

3. Run the description text command to configure the service set description.

Other related questions:
Configuring an address set for the USG2000&5000 series
The USG2000&5000 series supports configuring an address set using the web UI or CLI. An address set can contain IP addresses, network segments, IP address ranges, and MAC addresses and be contained in another address set. Configuring an address set using the web UI: Choose Firewall > Address > Address Set and then click Create in Address Set List. Enter or select the address set name and description, reference the address or address set, configure the IP address, and click Apply. Configuring an address set using the CLI: 1. Run the ip address-set address-set-name [ type { object | group } | vpn-instance vpn-instance-name ] * command in the system view to create an address set and access its view. 2. Run the address [ id ] { ip-address { 0 | wildcard | mask { mask-address | mask-len } } | range start-ip-address end-ip-address | address-set address-set-name | mac-address } [ description description ] command to add a member to this address set. You can run this command repeatedly to add multiple members to this address set. 3. Run the description text command to configure the address set description.

Disabling the Telnet or SSH service on the USG2000&5000&6000
USG2000&5000& Perform as follows to disable the Telnet or SSH service:
1.  Disable the Telnet service.
<USG> system-VIEW
Enter system view, return user view with Ctrl+Z.  
[USG]undo telnet  server  enable 

2.  Disable the SSH service.
system 
Enter system view, return user view with Ctrl+Z.  
[USG]undo stelnet server  enable

ACLs for the USG2000&5000
An access control list (ACL) is a general tool for traffic matching. It can filter and match traffic in terms of MAC addresses, IP addresses, protocols, and time ranges. ACL Rule and Matching Order In common cases, any security function can reference multiple ACLs. Therefore, overlaps and conflicts may occur among the traffic defined by these ACLs. Additionally, to effectively use the ACL, an ACL contains multiple ACL rules, each of which can specify certain traffic, and define the permit or deny action accordingly. As a result, the traffic defined by these rules may overlap and actions for overlapped traffic may conflict with each other. Therefore, it is necessary to specify the matching orders of ACLs and of multiple rules in an ACL. The matching orders on the USG are as follows: ? ACLs applied to the same function in the same direction are matched according to the configuration time. The earlier the ACL is created; the earlier it is matched. Once the matching succeeds, no subsequent matching is performed. ? ACL rules in the same ACL are matched according to the specified matching type. Two matching types are available: ? Automatic order: indicates automatic matching. It is also called minimal matching or in-depth matching. Actions are performed according to the rule with the minimal matching range. For example, rule 1 allows packets at 192.168.1.0/24 through; rule 2 denies packets at 192.168.1.100. In this case, the final action for packets at 192.168.1.100 is deny. This is because the IP address range specified by rule 2 is smaller and more accurate. ? Configuration order: indicates that ACL rules are matched based on the rule ID. It is the default matching mode. The smaller the rule ID is; the earlier the matching occurs. Once the matching succeeds, no subsequent matching is performed. Step and Dynamic Insertion of an ACL Rule After an ACL rule is created, its ID cannot be changed. Therefore, it is difficult for you to manually adjust matching orders of rules in ACLs in configuration order mode. You can only delete existing rules and create new ones. To address this issue, the step function is added. During the creation of an ACL rule, if no rule ID is specified, the system automatically assigns a rule ID. Rule IDs increase based on the step. For example, the step is 5. If you create a rule but do not assign a rule ID, the system automatically assigns the minimal ID (which is larger than that of the previous rule and its number takes 5 as the base and increases by 5) to the rule. Suppose that you do not specify the rule ID for rule 1, the system assigns 5 to the rule. When creating rule 2, you assign 12 to it. Then you do not specify the rule ID for rule 3. In this case, the system assigns 15 (larger than 12) to it. Therefore, the IDs of three rules in the ACL are 5, 12, and 15 respectively. After the step mechanism is used, rule IDs are reserved for rules in an ACL for the further use. In this example, to ensure that rule 4 takes effect between rule 2 and rule 3, you can specify 13 as the ID for the rule during the creation. Through the dynamic insertion of new rules between two rules, you can control the valid sequences of rules in the ACL.

Definition of SSL VPN for USG2000 and USG5000 series devices
SSL VPN is based on the SSL protocol for the security of VPN remote access technology, mobile office workers (known as remote users in SSL VPN) SSL VPN can be safe and convenient access to the enterprise network, access to enterprise intranet resources, Improve work efficiency.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top