Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎07-27-2017 04:01 AM Edited on ‎11-12-2024 10:05 PM By Community Manager

Article Id 189800

Technical Tip: Adding Internet services to firewall policies

Description

 
This article describes how to add Internet services to firewall policies
 
Scope
 
FortiGate.


Solution

 
In vv5.4, support was added for Internet Service objects which can be used with FortiView, Logging, Routing and WAN Load Balancing.
In v5.6, they can now be added to firewall policies as well. FortiGuard dynamically updates these Internet Service objects and contain mappings of IP addresses and ports associated with well-known companies and their associated services (such as Amazon-AWS, Microsoft-Azure, Google-Gmail, and more).
 
Important Note:
Internet Service objects cannot be used in the Source or Destination fields at the same time as standard Address objects (FQDN, Subnet, etc.) In the CLI, the srcaddr option and the dstaddr and service options will be removed after enabling internet-service-src and internet-service respectively.
 
Likewise in the GUI, attempting to add an Address Object in the same section as an Internet-Service object will generate the following error message that prevents the Firewall Policy from being saved: 'Destination addresses/groups must have different IP versions than Destination Internet Services in policy.'
 
isdb_policy.PNG
 
In these scenarios, it is recommended to create two separate Firewall Policies (one for Address objects, and one for Internet Service objects) to avoid this conflict. Note that it is fine to use Address objects as Source and Internet Service objects as Destinations (and vice-versa), but just not combined in the same Source/Destination section

Configuring Internet Service objects in Firewall Policies - CLI method:
The following is the list of available CLI options/syntax for setting Internet Service objects in Firewall Policies. Refer to the CLI Reference documentation for full descriptions of each option: config firewall policy
 

config firewall policy

edit <policy id>

set internet-service [enable|disable]
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-group <name1>, <name2>, ...
set internet-service-name <name1>, <name2>, ...
set internet-service-negate [enable|disable]


set internet-service-src [enable|disable]
set internet-service-src-custom <name1>, <name2>, ...
set internet-service-src-custom-group <name1>, <name2>, ...
set internet-service-src-group <name1>, <name2>, ...
set internet-service-src-name <name1>, <name2>, ...
set internet-service-src-negate [enable|disable]


set internet-service6 [enable|disable]
set internet-service6-custom <name1>, <name2>, ...
set internet-service6-custom-group <name1>, <name2>, ...
set internet-service6-group <name1>, <name2>, ...
set internet-service6-name <name1>, <name2>, ...
set internet-service6-negate [enable|disable]


set internet-service6-src [enable|disable]
set internet-service6-src-custom <name1>, <name2>, ...
set internet-service6-src-custom-group <name1>, <name2>, ...
set internet-service6-src-group <name1>, <name2>, ...
set internet-service6-src-name <name1>, <name2>, ...
set internet-service6-src-negate [enable|disable]

end

 

Note that IPv6 Internet Service object support was first added in v7.2.1 (CLI support) and then expanded in v7.2.4 (GUI support). Refer to the following documentation for more information: Using IPv6 addresses in the ISDB 7.2.4

 
The following is an example Firewall Policy that allows all sources on the LAN to reach Amazon-AWS and Microsoft-Azure services via the WAN interface:
 
config firewall policy
edit 8
set srcintf 'LAN'
set dstintf 'WAN'
set action accept
set srcaddr 'all'
set internet-service enable
set internet-service-name 'Amazon-AWS' 'Microsoft-Azure'
set schedule always
end
 
Configuring Internet Service objects in Firewall Policies - GUI method:When editing Firewall Policies under Policy & Objects -> Firewall Policy, it is possible to specify Internet Service objects as Destinations (v5.x and later) and Sources (v6.0 and later).

In the policy editing page, the Destination Address now has two types: Address and Internet Service.
 
Firewall Policy Destination selection - FortiOS 6.0 exampleFirewall Policy Destination selection - FortiOS 6.0 example

 

Firewall Policy Destination selection - FortiOS 7.4 exampleFirewall Policy Destination selection - FortiOS 7.4 example

 

As noted earlier in the article, there is an either/or relationship between Internet Service objects and Address/Service objects in firewall policies.
This means that an Internet Service object may be set in the Destination or an Address Object and Service can be configured for the Destination, but not both at the same time.
10316
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.