Description
This article describes how to list all the services of the Internet Service Database with their respective IP ranges, protocols and ports in both the GUI and the CLI.
Scope
FortiGate, Internet Service database.
Solution
The following are the GUI and CLI methods available for viewing entries in the Internet Service Database. Note that for FortiGates using VDOMs, the GUI method works from any non-Global VDOM, whereas the CLI method needs to be run from the Global VDOM.
GUI Method:
In the web GUI, navigate to Policy & Objects -> Internet Service Database to see the list of available Internet Services. Selecting/editing a given entry will show the Primary Internet Service ID, as well as an option to View/Edit Entries associated with the object. FortiOS v7.2.0 and later also includes a button for IP Address Lookup, which allows administrators to specify an IP address and find the associated Internet Service object(s).
CLI Method:
To display the full list of Internet Services contained in the database, run the command diagnose internet-service id. A list of services will be produced, along with the associated ID number of that entry:
FortiGate # diagnose internet-service id
Please input Internet Service ID.
ID: 65537 name: "Google-Web"
ID: 65538 name: "Google-ICMP"
ID: 65539 name: "Google-DNS"
[...]
Please input Internet Service ID.
ID: 65537 name: "Google-Web"
ID: 65538 name: "Google-ICMP"
ID: 65539 name: "Google-DNS"
[...]
Additionally, the grep command can be used to filter for a specific service and its associated ID. For example:
FortiGate # diagnose internet-service id | grep FortiGuard
ID: 1245324 name: "Fortinet-FortiGuard"
ID: 1245454 name: "Fortinet-FortiGuard.Secure.DNS"
ID: 1245514 name: "Fortinet-FortiGuard.SOCaaS"
ID: 1245324 name: "Fortinet-FortiGuard"
ID: 1245454 name: "Fortinet-FortiGuard.Secure.DNS"
ID: 1245514 name: "Fortinet-FortiGuard.SOCaaS"
Once the service has been identified, the ID can then be used to find the associated IP ranges, ports, and protocols:
FortiGate # diagnose internet-service id 1245324
Internet Service: 1245324(Fortinet-FortiGuard)
Version: 00007.04245
Timestamp: 202507091615
Number of Entries: 776
3.160.231.3-3.160.231.3 country(724) region(423) city(14129) blocklist(0x0) reputation(5), popularity(5) domain(0) botnet(0) proto(6) port(25 53 80 443 465 514 541-542 853 2195-2196 5223 8000 8686 8888 8890 9582)
3.160.231.3-3.160.231.3 country(724) region(423) city(14129) blocklist(0x0) reputation(5), popularity(5) domain(0) botnet(0) proto(17) port(53 5246 8888)
3.160.231.11-3.160.231.11 country(724) region(423) city(14129) blocklist(0x0) reputation(5), popularity(5) domain(0) botnet(0) proto(6) port(25 53 80 443 465 514 541-542 853 2195-2196 5223 8000 8686 8888 8890 9582)
Internet Service: 1245324(Fortinet-FortiGuard)
Version: 00007.04245
Timestamp: 202507091615
Number of Entries: 776
3.160.231.3-3.160.231.3 country(724) region(423) city(14129) blocklist(0x0) reputation(5), popularity(5) domain(0) botnet(0) proto(6) port(25 53 80 443 465 514 541-542 853 2195-2196 5223 8000 8686 8888 8890 9582)
3.160.231.3-3.160.231.3 country(724) region(423) city(14129) blocklist(0x0) reputation(5), popularity(5) domain(0) botnet(0) proto(17) port(53 5246 8888)
3.160.231.11-3.160.231.11 country(724) region(423) city(14129) blocklist(0x0) reputation(5), popularity(5) domain(0) botnet(0) proto(6) port(25 53 80 443 465 514 541-542 853 2195-2196 5223 8000 8686 8888 8890 9582)
[...]
Note: In some situations (such as when using an on-demand Internet Service Database), the service object may show as empty (in the GUI) or will show the following warning in the CLI:
FortiGate # diagnose internet-service id 1245324
Internet Service: 1245324(Fortinet-FortiGuard)
Can not find info for Internet Service ID in the currently installed database, ret=-3
Internet Service: 1245324(Fortinet-FortiGuard)
Can not find info for Internet Service ID in the currently installed database, ret=-3
If the IP ranges are not available, then try adding the Internet Service object to at least one firewall policy rule or static route before re-checking the service object. It may also be necessary to trigger a FortiGuard update on the FortiGate (for example, execute update-now or execute update-ffdb-on-demand).
Related articles:
