Policy with Internet Service

1 Reply

Policy with Internet Service

Using Internet Service in policy

This recipe shows how to apply a predefined Internet Service entry into a policy.

The Internet Service Database is a comprehensive public IP address database that combines IP address range, IP owner, service port number, and IP security credibility. The data comes from the FortiGuard service system. Information is regularly added to this database, for example, geographic location, IP reputation, popularity & DNS, and so on. All this information helps users define Internet security more effectively.

From FortiOS version 5.6 on, the Internet Service is included in the firewall policy, It can be applied to a policy only as a Destination object. From version 6.0, Internet Services can be applied both as Source and Destination objects in policy. You can also apply Internet Services to shaping policy.

There are three types of Internet Services we can apply to firewall policy:

l Predefined Internet Services. l Custom Internet Services. l Extension Internet Services.

Sample configuration

To apply a predefined Internet Service entry into a policy using the GUI:

  1. Go to Policy & Objects and create a new policy.
  2. In the Source or Destination field, click +.
  3. In the Select Entries pane, click Internet Service.
  4. Locate and click Gmail.
  5. Configure the other fields and then click OK.

To apply a predefined Internet Service entry into a policy using the CLI:

In the CLI, enable the internet-service first and then use its ID to apply the policy.

This example uses Google Gmail and its ID is 65646. Each Internet Service has a unique ID.

config firewall policy edit 9 set name “Internet Service in Policy” set srcintf “wan2” set dstintf “wan1” set srcaddr “all” set internet-service enable set internet-service-id 65646 set action accept set schedule “always” set utm-status enable set av-profile “g-default”

set ssl-ssh-profile “certificate-inspection”

set nat enable

next end

To diagnose an Internet Service entry using the CLI:

diag internet-service id-summary 65646

Version: 0000600096

Timestamp: 201902111802

Total number of IP ranges: 444727

Number of Groups: 7

Group(0), Singularity(20), Number of IP ranges(142740)

Group(1), Singularity(19), Number of IP ranges(1210)

Group(2), Singularity(16), Number of IP ranges(241)

Group(3), Singularity(15), Number of IP ranges(38723)

Group(4), Singularity(10), Number of IP ranges(142586)

Group(5), Singularity(8), Number of IP ranges(5336)

Group(6), Singularity(6), Number of IP ranges(113891)

Internet Service: 65646(Google.Gmail)

Number of IP range: 60

Number of IP numbers: 322845

Singularity: 15

Reputation: 5(Known and verified safe sites such as Gmail, Amazon, eBay, etc.)

Icon Id: 510

Second Level Domain: 53(gmail.com)

Direction: dst

Data source: isdb

Result

Because the IP and services related to Google Gmail on the Internet are included in this Internet Service (65646), all traffic to Google Gmail is forwarded by this policy.

Using custom Internet Service in policy

Even though there are about 1,395 predefined Internet Services entries and a total of 444,727 IP ranges, we sometimes still need to create our own Internet Service entries. FortiOS supports custom Internet Service in a firewall policy.

When creating a custom Internet Service, you must set following elements:

l IP or IP Ranges l Protocol number l Port or Port Ranges l Reputation

You must use CLI to create a custom Internet Service. Custom Internet Service CLI syntax

config firewall internet-service-custom edit <name> set comment <comment> set reputation {1|2|3|4|5} config entry edit <ID #> set protocol <number #> set dst <object_name> config port-range

edit <ID #>

set start-port <number #> set end-port <number #>

next

end

next end end

end

Sample configuration

To configure a custom Internet Service using the CLI:

config firewall internet-service-custom

edit “test-isdb-1” set comment “Test Custom Internet Service” set reputation 4 config entry

edit 1

set protocol 6

config port-range

edit 1

set start-port 80

set end-port 443

next

end set dst “10-1-100-0”

next edit 2

set protocol 6 config port-range

edit 1

set start-port 80

set end-port 80

next

end set dst “172-16-200-0”

next

end

next

end

To apply a custom Internet Service into policy using the CLI:

config firewall policy

edit 1

set name “Internet Service in Policy” set srcintf “wan2” set dstintf “wan1” set srcaddr “all” set internet-service enable set internet-service-id 65646 set internet-service-custom “test-isdb-1” set action accept

set schedule “always” set utm-status enable set av-profile “g-default”

set ssl-ssh-profile “certificate-inspection”

set nat enable

next

end

Result

In addition to the IP/IP-Ranges and services allowed by Google.Gmail, this policy also allows the traffic which access to 10.1.100.0/24 and TCP/80-443 and 172.16.200.0/24 and TCP/80.

Using extension Internet Service in policy

Extension Internet Service lets you add custom IP_Range(s)+Port_Range(s) to an existing prpedefined Internet Servic, or remove IP_Range(s)+Port_Range(s) from an existing predefined Internet Service entry.

Using an extension type Internet Service is actually editing a predefined type Internet Service entry and add IP_Range (s)+ Port_Range(s) to it.

When creating an extension Internet Service and adding custom IP_Range(s)+Port_Range(s), you must set following elements:

l IP or IP Ranges l Protocol number l Port or Port Ranges

You must use CLI to add custom IP(s)+Port(s) entries into a predefined Internet Service.

You must use GUI to remove entries from a predefined Internet Service. Custom extension Internet Service CLI syntax

config firewall internet-service-extension edit <ID #> set comment <comment> config entry edit <ID #> set protocol <number #> set dst <object_name> config port-range edit <ID #> set start-port <number #> set end-port <number #>

next

end

next

end

end end

Sample configuration

To configure an extension Internet Service using the CLI:

config firewall internet-service-extension edit 65646 set comment “Test Extension Internet Service 65646” config entry edit 1 set protocol 6 config port-range edit 1 set start-port 80 set end-port 443

next

end

set dst “172-16-200-0”

next edit 2 set protocol 17 config port-range edit 1 set start-port 53 set end-port 53

next

end

set dst “10-1-100-0”

next

end

next

end

To removing IP(s)+Port(s) entries from an existing Internet Service:

  1. Go to Policy & Objects > Internet Service Database.
  2. Search for Gmail.
  3. Select Gmail and click Edit.
  4. Locate the IP entry you want to remove and click Disable beside that entry.
  5. Click Return.
  6. When you complete the actions in the GUI, the CLI automatically generates the configuration from your GUI actions:

config firewall internet-service-extension edit 65646 set comment “Test Extension Internet Service 65646” config entry

edit 1 set protocol 6 config port-range

edit 1 set start-port 80 set end-port 443

next

end set dst “172-16-200-0”

next edit 2 set protocol 17 config port-range

edit 1 set start-port 53 set end-port 53

next

end set dst “10-1-100-0”

next

end config disable-entry edit 1 set protocol 6 config port-range

edit 1 set start-port 25 set end-port 25

next edit 2 set start-port 80 set end-port 80

next edit 3 set start-port 110 set end-port 110

next edit 4 set start-port 143 set end-port 143

next edit 5 set start-port 443 set end-port 443

next edit 6 set start-port 465 set end-port 465

next edit 7 set start-port 587 set end-port 587

next edit 8 set start-port 993 set end-port 993

next edit 9 set start-port 995 set end-port 995

next edit 10 set start-port 2525 set end-port 2525

next

end config ip-range edit 1 set start-ip 2.20.183.160 set end-ip 2.20.183.160

next

end

next

end

next

end

To apply an extension Internet Service into policy using the CLI:

config firewall policy edit 9 set name “Internet Service in Policy” set srcintf “wan2” set dstintf “wan1” set srcaddr “all” set internet-service enable set internet-service-id 65646 set action accept set schedule “always” set utm-status enable set av-profile “g-default”

set ssl-ssh-profile “certificate-inspection”

set nat enable

next

end

Result

In addition to the IP(s)/IP-Range(s) and services allowed by Google.Gmail, this policy also allows the traffic which accesses 10.1.100.0/24 and UDP/53 and 172.16.200.0/24 and TCP/80-443. At the same time, the traffic which accesses 2.20.183.160 is dropped because this IP+Port(s) is disabled from Google.Gmail.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Policy with Internet Service

  1. Alden

    Hi, one question. What happens if I use a ISDB as a destination (lets say Gmail as the example) but I also apply a web filter and / or app control profile to the policy blocking a category that matches Gmail?

    Will Gmail be blocked or permited?

    Thanks!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.