Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Dongfang_Li_FTNT
Staff
Staff

Created on ‎08-28-2023 10:00 AM Edited on ‎12-11-2024 08:13 AM By Moderator

Article Id 270814

Technical TIp: Use Internet Service Database vs FQDN

Description

This article describes the scenario when a user is facing an issue with the connection to MS Outlook freezing. 
Scope FortiGate.
Solution

When a firewall policy is using an FQDN, the resolved IP on the client and the resolved IP on the FortiGate may be different.

 

This is most prevalent on Public Cloud services, as the DNS TTL is very low and the IPs will change frequently.
It may be possible to solve this behavior by following this article:  Technical Tip: How to deal with FQDN with short DN... - Fortinet Community.


Alternatively, it is possible to instead use an ISDB object to allow this traffic instead.
ISDB objects are more reliable than FQDNs, as this list is updated by FortiGuard and may cover more IPs than the FQDN alone.

Here is a firewall policy with an FQDN as it's destination.

 

outlook.PNG

When the implicit deny policy has 'all session' log enabled, it is possible to get the deny log destination address, and search the matching ISDB group by the IP address. 

 

deny.PNG

Take IP 20.105.73.143 as an example:

 

diagnose internet-service match root 20.105.73.143 255.255.255.255

 

Internet Service: 327786(Microsoft-Azure), matched entry num: 2, matched num: 2

Internet Service: 327681(Microsoft-Web), matched entry num: 4, matched num: 4

Internet Service: 327682(Microsoft-ICMP), matched entry num: 2, matched num: 2

Internet Service: 327683(Microsoft-DNS), matched entry num: 2, matched num: 2

Internet Service: 327684(Microsoft-Outbound_Email), matched entry num: 4, matched num: 4

Internet Service: 327686(Microsoft-SSH), matched entry num: 1, matched num: 1

Internet Service: 327687(Microsoft-FTP), matched entry num: 2, matched num: 2

Internet Service: 327688(Microsoft-NTP), matched entry num: 2, matched num: 2

Internet Service: 327689(Microsoft-Inbound_Email), matched entry num: 4, matched num: 4

Internet Service: 327694(Microsoft-LDAP), matched entry num: 4, matched num: 4

Internet Service: 327695(Microsoft-NetBIOS.Session.Service), matched entry num: 2, matched num: 2

Internet Service: 327696(Microsoft-RTMP), matched entry num: 2, matched num: 2

Internet Service: 327704(Microsoft-NetBIOS.Name.Service), matched entry num: 1, matched num: 1

Internet Service: 327680(Microsoft-Other), matched entry num: 2, matched num: 2

 

Change from FQDN to the above ISDB in firewall security policy, prefer to ISDB relative to email, for example, Microsoft-Azure, Microsoft-Outbound_Email, Microsoft-Inbound_Email. Here is the policy with the ISDB instead of the FQDN.

 

isdb.PNG

 

The traffic is now allowed.

 

allow.PNG

 

Related article:

Technical Tip: How to search ISDB using IP address
1545
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.