Technical Tip: Adding or removing IP addresses and port ranges to/from a predefined internet service using the internet service extension

Anonymous · ‎03-09-2020

Description

This article describes a technical tip for defining and using the Internet Service Extension feature.
As a reminder, this feature allows adding and/or removing IP address(es) and port range(s) to/from an existing predefined internet service entry.
Using an extension type internet service comes to edit a predefined internet service entry and add/remove IP address(es) and port range(s) to/from it.

Scope

FortiGate.

Solution

Note that, while internet service database objects are globally defined, the internet service extension is a VDOM-level feature.
Example: extensions are configured and applied only on a VDOM-level basis.

Adding an IP address/port range to a predefined Internet Service entry.

As per the documentation, creating an internet service extension requires configuring IP or IP ranges, protocol number, port or port ranges via the CLI (this cannot be done at the GUI for now).

Based on this, adding an IP address range of 10.10.10.0-10.10.10.0 with a TCP port range of 8080-8081 to the predefined Internet Service 'Google-Gmail' in VDOM 'VD-1' can then be done using the following command set.

Retrieve the identifier of the 'Google-Gmail' Internet Service (65646).

diagnose internet-service id | grep Google-Gmail

ID: 65646 name: "Google-Gmail"

FGT (global) #

Define the IP address range '10.10.10.0-10.10.10.0' using a firewall address object.

config firewall address
    edit "ISDB-Range-1"
        set type iprange
        set start-ip 10.10.10.0
        set end-ip 10.10.10.0
    next
end

Extend the 'Google-Gmail' internet service using the 'internet-service-extension' command.

config firewall internet-service-extension
    edit 65646
        set comment ''
  config entry
edit 1
set protocol 6
  config port-range
edit 1
set start-port 8080
set end-port 8081
next
end
set dst "ISDB-Range-1"
next
end
    next
end

Once the configuration change is applied, the following message is displayed to indicate what needs to be done to make the change effective.

Warning:
Configuration will only be applied after rebooting or using the '#execute internet-service refresh' command.

Refresh the internet service database using the 'exec internet-service refresh' global-level command.

Since v7.2, the command has changed to the following:

exec internet-service refresh
Internet Service database is refreshed.

Since v7.2, the command has changed to the following:

execute internet-service4 refresh

Verify a new entry was effectively added at the VDOM level to the predefined 'Google-Gmail' internet service.

diagnose firewall internet-service-extension list

List internet service in kernel(custom):
name=Google-Gmail id=65646 reputation=5 Known and verified safe sites such as Gmail, Amazon, eBay, etc. singularity=0 flags=0x0 protocol=6 port=8080-8081
addr ip range(1): 10.10.10.0-10.10.10.0

Referring to the extended 'Google-Gmail' internet service in a VDOM level firewall policy can be done as per the following command.

config firewall policy
    edit 1
        …
            set internet-service enable
            set internet-service-id 65646
        …
    next
end

Removing an IP address/port range from a predefined Internet Service entry.

Unlike the addition, the removal of an IP address/port range from a predefined internet service cannot be done at the CLI but requires to be done at the GUI.

Open the internet service database of VDOM 'VD-1' and search for the 'Google-Gmail' internet service (65646).

Edit the 'Google-Gmail' internet service and remove all protocol entries for IP address range '1.1.1.0-1.1.1.0' from it by changing the IP address range 'Status' from enabled to disabled.

Display the internet service extension of the VDOM 'VD-1' using the 'internet-service-extension' command.

config firewall internet-service-extension
    edit 65646
        set comment ''
  config disable-entry
edit 1
set protocol 6
  config port-range
edit 1
set start-port 25
set end-port 25
next
edit 2
set start-port 80
set end-port 80
next
edit 3
set start-port 110
set end-port 110
next
edit 4
set start-port 143
set end-port 143
next
edit 5
set start-port 443
set end-port 443
next
edit 6
set start-port 465
set end-port 465
next
edit 7
set start-port 587
set end-port 587
next
edit 8
set start-port 993
set end-port 993
next
edit 9
set start-port 995
set end-port 995
next
edit 10
set start-port 2525
set end-port 2525
next
edit 11
set start-port 5222
set end-port 5242
next
edit 12
set start-port 19305
set end-port 19309
next
end
  config ip-range
edit 1
set start-ip 1.1.1.0
set end-ip 1.1.1.0
next
end
next
edit 2
set protocol 17
  config port-range
edit 1
next
end
  config ip-range
edit 1
set start-ip 1.1.1.0
set end-ip 1.1.1.0
next
end
next
end
    next
end

The GUI disabling of IP address range '1.1.1.0-1.1.1.0' from the 'Google-Gmail' internet service was translated by FortiOS as an internet service extension (c.f. 'config disable-entry' command section for internet service ID 65646).

Referring to the extended 'Google-Gmail' internet service in a VDOM level firewall Policy can be done as per the following command.

config firewall policy
    edit 1
        …
            set internet-service enable
            set internet-service-id 65646
        …
    next
end

Note:

Unlike adding, the removal of an IP address/port range from a predefined Internet Service entry cannot be displayed using the 'firewall internet-service-extension list' command.

Technical Tip: Adding or removing IP addresses and port ranges to/from a predefined internet service using the internet service extension

You are leaving our website