Description

This article describes how to add multiple Internet Service Database services to the group and use them in the policies.

Scope

FortiOS v6.2, v6.4, v7.0, v7.2, v7.4.

Solution

In FortiOS v7.4 and earlier, this can only be done through the CLI:

config firewall internet-service-group
    edit "ISDB"
        set member "Microsoft-Azure" "Meta-Other" "Google-Other" "Google-Google.Cloud"
    next
end

To add Internet Service objects after group creation, use the command 'append member <service-name>' demonstrated below.

config firewall internet-service-group
    edit "ISDB"
        append member "Amazon-AWS.Cloud9"
    next
end

show firewall internet-service-group ISDB

config firewall internet-service-group
    edit "ISDB"
        set member "Microsoft-Azure" "Meta-Other" "Google-Other" "Google-Google.Cloud" "Amazon-AWS.Cloud9"
    next
end

To remove a member after group creation, use the command 'unselect member <service-name>' demonstrated below.

config firewall internet-service-group
    edit "ISDB"
        unselect member "Microsoft-Azure" "Meta-Other"
    next
end

show firewall internet-service-group ISDB

config firewall internet-service-group
    edit "ISDB"
        set member "Google-Other" "Google-Google.Cloud" "Amazon-AWS.Cloud9"
    next
end

Note: Starting FortiOS v7.6.0, this can be configured using the GUI as well.

Go to Policy & Objects -> Internet Service Database -> Select Internet Service Group -> Create new.

Once the group is created, it is possible to use the policies as shown below (search for that group so that it appears in the dropdown list):

Related document:
Internet service groups in policies