Technical Tip: Grouping ISDB objects

ksolovjova · ‎10-30-2023

Description

This article describes that it is necessary to group Internet Services to use them in a policy, it may happen to receive the 'Entry not found in datasource' error.

Scope

FortiOS 6.2, 6.4, 7.0, 7.2, 7.4.

Solution

In this case, it is necessary to check the 'direction' attribute of the Internet Service group and match it with the same attribute of the Internet Service:

By default, the newly created internet-service-group is 'both':

config firewall internet-service-group
edit "1000"

show full
set direction both
end

Direction can be changed:

config firewall internet-service-group
edit 1000

set direction ?
source           As source when applied.
destination      As destination when applied.
both             Both directions when applied.

Internet Services also have destination attributes:

diag internet-service id-summary 327681
Version: 00007.03429
...
Internet Service: 327681(Microsoft-Web)...
Direction: dst

Or:

diag internet-service id-summary 327903
Version: 00007.03429
...
Internet Service: 327903(Microsoft-Office365.Published.Allow)
Direction: both

Internet Services with directions 'both' can be added to groups with directions 'destination' and 'source'. For example, if the group direction is 'both', it is possible to add only Microsoft-Office365.Published.Allow ('both'), but not Microsoft-Web ('dst') to it. However, if changing the type to 'destination', it is possible to add both services.

This configuration can be done only from CLI.

Note :

Starting from v7.4.5 and v7.6.0, this can be configured using GUI as well.

Go to Policy & Objects -> Internet Service Database -> Select Internet Service Group -> Create new.