FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sreddi
Staff
Staff
Article Id 194297

Description

 

This article describes how to configure internet service database objects with geographical information in the policy. 
Geographic-based Internet Service Database (ISDB) objects allow users to define a country, region, and city.


These objects can be used in firewall policies for more granular control over the location of the parent ISDB object.
ISDB objects are now referenced in policies by name instead of ID.

 

Scope

 

FortiGate.

Solution


To apply a location-based ISDB object to a policy from the GUI.

 

  1. Create the ISDB object.
  • Go to Policy & Objects -> Internet Service Database and select 'Create New'.
  • For Type, select 'Geographic Based' and configure the other settings as needed.
  • Select 'OK'.

 
  1. View the IP ranges in the location-based internet service.
  • Go to Policy & Objects -> Internet Service Database.
  • In the table, hover over the object created in step 1. and select 'View/Edit Entries'.

The list of IPs is displayed.

 
 
  • Select 'Return'.

  1. Add the ISDB object to a policy.

  • Go to Policy & Objects -> Firewall Policy. Create a new policy or edit an existing policy.
  • For Destination, select 'Internet Service' and select the ISDB object created in step 1.
  • Configure the other settings as needed.
  • Select 'OK'.
 
 
To apply a location-based ISDB object to a policy from the CLI.
 
  1. Create the ISDB object.

 

config firewall internet-service-name
    edit "test-locaction-isdb-1"
        set type location
        set internet-service-id 65536
        set country-id 840
        set region-id 283
        set city-id 23352
    next
end

 

  1. View the IP ranges in the location-based internet service.

 

diagnose internet-service id 65536 | grep "country(840) region(283) city(23352)"
96.45.33.73-96.45.33.73 country(840) region(283) city(23352) blacklist(0x0) reputation(4), domain(5) popularity(0) botnet(0) proto(6) port(1-65535) 96.45.33.73-96.45.33.73 country(840) region(283) city(23352) blacklist(0x0) reputation(4), domain(5) popularity(0) botnet(0) proto(17) port(1-65535) 198.94.221.56-198.94.221.56 country(840) region(283) city(23352) blacklist(0x0) reputation (4), domain(5) popularity(4) botnet(0) proto(6) port(1-65535) 198.94.221.56-198.94.221.56 country(840) region(283) city(23352) blacklist(0x0) reputation (4), domain(5) popularity(4) botnet(0) proto(17) port(1-65535)

 

  1. Add the ISDB object to a policy.

     

config firewall policy
    edit 99
        set name "Demo_Policy"
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set internet-service enable
        set internet-service-name "test-locaction-isdb-1"
        set action accept
        set schedule "always"
        set logtraffic all
        set logtraffic-start enable
        set auto-asic-offload disable
        set nat enable
    next
end


Note: In ISDB policies, only ISDB objects can be added to the destination address, a combination of ISDB and IP/ FQDN address objects cannot be created. It will show an error while adding the address object.

 

ISDB.PNG