Troubleshooting Tip: Unable to create ISDB exceptions via CLI

ISDB exceptions can be added using the GUI by following this KB article: Technical Tip: How to Disable Specific IP Addresses or IP Address Ranges in ISDB Address Objects.

This will add an internet-service-extension to the configuration. For example, if an entry is disabled for the 'Malicious-Malicious.Server' object (ID=11337935):

FortiGate # show firewall internet-service-extension
config firewall internet-service-extension
    edit 11337935
        set comment ''
            config disable-entry
                edit 1
                    set protocol 6
                        config port-range
                            edit 1
                                set start-port 80
                                set end-port 80
                            next
                            edit 2
                                set start-port 443
                                set end-port 443
                            next
                        end
                        config ip-range
                            edit 1
                                set start-ip 1.0.166.79
                                set end-ip 1.0.166.79
                            next
                        end
                next
            end
    next
end

Note:

To check the ID for a specific ISDB group, the following commands can be used:

FortiGate # diagnose internet-service id | grep Malicious
ID: 11337935 name: "Malicious-Malicious.Server"

FortiGate # diagnose internet-service id | grep 11337935
ID: 11337935 name: "Malicious-Malicious.Server"

However, when trying to configure this manually from the CLI, it will return an error:

FortiGate # config firewall internet-service-extension
FortiGate (internet-service-extension) # edit 11337935
FortiGate (11337935) # config disable-entry
FortiGate (disable-entry) # edit 1
This table is internally maintained, not configurable by user
node_check_object fail! for id 1

value parse error before '1'
Command fail. Return code -61

This is by design, as manually changing these entries via the CLI is considered highly error-prone. The only way to edit these ISDB objects is through the GUI.

Note: 

There is a known issue (ID 853352 in the release notes): when there are more than 100000 entries in an ISDB object, the GUI will get stuck when scrolling down the list.

This has been fixed in v7.6.4 and later releases, but it will not be fixed in v7.2.x or v7.4.x. In case exceptions need to be added to the ISDB objects with more than 100000 in v7.2 or v7.4, as a workaround, a policy with addresses (or address groups) as exceptions should be created, then placed in front of the policy with the ISDB object.