A user-defined list of ports and protocols.  These groups are then applied to a resource to define what services are being protected by the policies applied to that resource.