Created on 06-27-2020 08:39 AM Edited on 10-24-2024 04:49 AM By Jean-Philippe_P
Description
This article describes how to configure internet service database objects with geographical information in the policy.
Geographic-based Internet Service Database (ISDB) objects allow users to define a country, region, and city.
These objects can be used in firewall policies for more granular control over the location of the parent ISDB object.
ISDB objects are now referenced in policies by name instead of ID.
Scope
FortiGate.
Solution
To apply a location-based ISDB object to a policy from the GUI.
The list of IPs is displayed.
Add the ISDB object to a policy.
config firewall internet-service-name
edit "test-locaction-isdb-1"
set type location
set internet-service-id 65536
set country-id 840
set region-id 283
set city-id 23352
next
end
View the IP ranges in the location-based internet service.
diagnose internet-service id 65536 | grep "country(840) region(283) city(23352)"
96.45.33.73-96.45.33.73 country(840) region(283) city(23352) blacklist(0x0) reputation(4), domain(5) popularity(0) botnet(0) proto(6) port(1-65535) 96.45.33.73-96.45.33.73 country(840) region(283) city(23352) blacklist(0x0) reputation(4), domain(5) popularity(0) botnet(0) proto(17) port(1-65535) 198.94.221.56-198.94.221.56 country(840) region(283) city(23352) blacklist(0x0) reputation (4), domain(5) popularity(4) botnet(0) proto(6) port(1-65535) 198.94.221.56-198.94.221.56 country(840) region(283) city(23352) blacklist(0x0) reputation (4), domain(5) popularity(4) botnet(0) proto(17) port(1-65535)
Add the ISDB object to a policy.
config firewall policy
edit 99
set name "Demo_Policy"
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set internet-service enable
set internet-service-name "test-locaction-isdb-1"
set action accept
set schedule "always"
set logtraffic all
set logtraffic-start enable
set auto-asic-offload disable
set nat enable
next
end
Note: In ISDB policies, only ISDB objects can be added to the destination address, a combination of ISDB and IP/ FQDN address objects cannot be created. It will show an error while adding the address object.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.