Skip to main content
mvlasak
Staff
mvlasak
Staff
May 29, 2025

Troubleshooting Tip: How to check if a particular Internet Service exists on FortiManager and FortiGate

  • May 29, 2025
  • 0 replies
  • 933 views
Description

This article describes how to resolve errors where policy package installation fails if FortiManager attempts to push a firewall policy that references an internet-service-name (or internet-service6-name) not available on the target FortiGate. This typically occurs when there is a mismatch in the Internet Service Database (ISDB) version or when a service exists in FortiManager but not on FortiGate.
Scope FortiManager/FortiGate v7.x.
Solution
  1. Check the ISDB Version on FortiGate and FortiManager.

To ensure consistency, the ISDB version must be the same on both FortiGate and FortiManager. To check:

 

On FortiGate:

 

diagnose autoupdate versions | grep "Internet-service Standard Database" -A5

diagnose autoupdate versions | grep "Internet-service Standard Database" -A5
Internet-service Standard Database
---------
Version: 7.04192 signed
Contract Expiry Date: n/a
Last Updated using scheduled update on Thu May 29 04:18:41 2025
Last Update Attempt: Thu May 29 12:18:02 2025

 

On FortiManager:

 

diagnose dvm adom list


diagnose dvm adom list
There are currently 23 ADOMs (count for license: 3/105):
OID  STATE    PRODUCT OSVER MR LIC NAME       MODE   VPN MANAGEMENT        IPS  ISDB
8891 enabled  FOS     7.0   2  Y   PRODUCTION Normal                       32.4 7.4166
.....
3    enabled FOS      7.0   2      root       Normal  Central VPN Console  32.4 7.4166
4048 enabled FOS      7.0   6  Y   root76     Normal  Central VPN Console  32.4 7.4166
10   enabled FOS      7.0   2      Global     Normal  Policy & Device VPNs 32.4 7.4166
---End ADOM list---

 

This command will list all ADOMs, along with the ISDB version used in each. Look at the ISDB column for the version.

 

  1. To verify whether a specific internet-service-name (e.g., Botnet-C&C.Server) exists on a FortiGate device, use the following command:

 

diagnose internet-service id-summary | grep Botnet
id: 3080383 name: "Botnet-C&C.Server"

If no output is returned, the service likely does not exist on the FortiGate due to an outdated Internet Service Database (ISDB).

 

  1. To verify whether a specific internet-service-name (e.g., Botnet-C&C.Server) exists on a FortiManager device, use the following command:


execute fmpolicy print-adom-object root "firewall internet-service-name" "Botnet-C&C.Server"
Dump object [Botnet-C&C.Server] of category [firewall internet-service-name] in adom [root]:
---------------
[Botnet-C&C.Server] is a reserved record

 

Notes:

  • It is necessary to use the full internet service name in the FortiManager CLI command.
  • If the ISDB versions are not the same, FortiManager may attempt to use objects (e.g., internet-service-name) that do not yet exist on the FortiGate, which can cause install errors. Always make sure that FortiGate and FortiManager are updated to use the same ISDB version before pushing policies.

 

Related articles:

Technical Tip: Required information for TAC tickets

Technical Tip: How to create a log file of a session using PuTTY
    Terms & ConditionsAccessibility statement