When you define security rules for specific applications, you can select one or more services to limit the port numbers the applications can use. The default service is any, which allows all TCP and UDP ports. The HTTP and HTTPS services are predefined, but you can add additional service definitions. Services that are often assigned together can be combined into Service Groups to simplify the creation of Security rules.

A service object allows you to specify the source and destination ports and protocols that a service can use. You can also create a custom service on any TCP/UDP port of your choice to restrict application usage to specific ports on your network. Additionally, you can use service objects to specify service-based session timeouts—this means that you can apply different timeouts to different user groups even when those groups are using the same TCP or UDP service, or, if you’re migrating from a port-based Security policy with custom applications to an application-based Security policy, you can easily maintain your custom application timeouts.

After you have created your service objects, you can then group a collection of services to create a Service Group that requires the same policy enforcement. Services that are often assigned together can be combined into Service Groups to simplify the creation of security rules.