Technical Tip: Issues with matching Custom Internet Service (ISDB) object in the policy

Description

This article describes the issue when configured Custom Internet Service objects overlap or one object is a subset of another, like the following example:

config firewall internet-service-custom
    edit "custom-1"
        set reputation 3
        set comment ''
            config entry
                edit 1
                    set protocol 6
                        config port-range
                            edit 1
                                set start-port 80
                                set end-port 80
                            next
                        end
                    set dst "web-server"
                next
            end
    next
    edit "custom-2"
        set reputation 3
        set comment ''
            config entry
                edit 1
                    set protocol 6
                        config port-range
                            edit 1
                                set start-port 80
                                set end-port 80
                            next
                        end
                    set dst "web-server"
                next
            end
    next
end

The use of such overlapping Custom Internet Service objects in policy will result in unexpected behavior. Only one of the overlapping objects is matched, and there is a chance that the traffic in question will not match the expected firewall policy if it is not referencing this overlapping object that matches this traffic.

Scope

FortiGate.

Solution

The behavior is expected.
The 3 Tuple (IP address, protocol, port) should uniquely match one object.

The overlap in Custom Internet Service objects should be avoided, as it might have unexpected results. Additionally, since the custom objects take precedence over the default ISDB objects if a Custom Internet Service object is not used, then it should be removed from the configuration.

As an alternative configuration option for such cases, the standard service + address configuration can be referenced in a firewall policy, instead of a Custom Internet Service object.

Key considerations for creating custom ISDB objects:

• When creating a custom ISDB, it is necessary to avoid any overlapping entries with the predefined ISDB objects available in FortiGate.
• Custom ISDB objects take precedence over the default ISDB objects, and this is the expected behavior.
• The 3 Tuple (IP address, protocol, port) should uniquely match one custom ISDB object. If the same (IP address, protocol, port) match a predefined ISDB object, the custom one will take precedence.
• If the same (IP address, protocol, port) combination matches another custom ISDB object, the object appearing first (from top to bottom) in the output of 'show firewall internet-service-custom' will take precedence.
• Overlapping a custom ISDB object with a predefined one may cause unexpected behavior, where traffic fails to match the intended firewall policy unless it explicitly references the overlapping object (custom ISDB object).
  
  

Note: An IP address can be part (overlap) of multiple predefined ISDB objects and match any of the returned internet service IDs. However, this does not apply to custom ISDB objects, as they take precedence and do not allow overlapping.

Related article:

Technical Tip: Using custom internet service in policy