Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff & Editor
Staff & Editor

Created on ‎09-12-2019 06:37 AM Edited on ‎09-07-2025 11:17 PM By Community Manager

Article Id 193407

Technical Tip: IPs in multiple ISDB entries

Description

 

This article explains when and how IPs can be in multiple Internet Service Database (ISDB) entries, and how to consider that when using ISDB entries for routing/policies

Useful links:
Fortinet Documentation.

FortiOS handbook details on ISDB:
ISDB in policies: ISDB and IRDB in firewall policies
Adding Internet service support to policies: What's New in FortiOS 5.6.0 (p.77/78)
FortiGuard ISDB updates: Internet Services Version: 7.04228

 

Scope

 

FortiGate.

Solution


Internet Services were added to the FortiGate in version 5.4, and made usable as policy objects in version 5.6.
They are a constantly updated list of public IPs and ports bundled based on what service/application they belong to, like Amazon AWS or Microsoft Office.

These are visible in FortiGate:

 

 
The IPs can be seen when editing the Service object:
 
JeanPhilippe_P_0-1750839014496.png 

 

In FortiOS v5.4, v5.6, and v6.0, an IP can only be a member of one ISDB entry.
This can sometimes lead to issues when an IP is used for multiple different services, like Microsoft IPs being used for both Office365 and Azure.
This means that using ISDB entries for policies or routing in FortiGates 6.0 and lower can sometimes not allow traffic that technically belongs to the Service, as the IP being accessed is already part of a different ISDB entry.

Below is an example where it is visible that the same IP is being shared by LinkedIn and Spotify. This will cause issues when policies or UTM features are set based on the IPs.

This can also be verified using externalCDN finder tools.

https://www.cdnplanet.com/tools/cdnfinder/#id:1253339941693_739620ab529856166486

https://www.cdnplanet.com/tools/cdnfinder/#id:1253340632363_b6509733a8157a5b9748

 

Ungfgftitled.jpg

 

dfdfffdfd.jpg

 

Checking one particular IP address is part of the ISDB object through CLI:

 

FGT# diagnose internet-service match root 151.101.131.42 255.255.255.255
Internet Service: 11075786(Spotify-Spotify), matched entry num: 3, matched num: 3
Internet Service: 851969(LinkedIn-Web), matched entry num: 4, matched num: 4
Internet Service: 851970(LinkedIn-ICMP), matched entry num: 1, matched num: 1

 

To work around this, there are a few options:

  1. Upgrade to v6.2.x or higher: v6.2 and higher support having the same IP in multiple ISDB entries.
  2. Manually create address objects/groups with the affected IPs and add policies with those, in addition to the Internet Service policies.
  3. Add the other Internet Services that contain the missing IPs, however, this will also allow access beyond the intended IPs to other IPs in the additional Internet Services.
  4. It is possible to allow or block, or filter this traffic using Application control with specific signatures, or Web filter with static URL filter or DNS filters.

 

It is important to note that the usage of the same IPs on multiple domains by CDN providers is a standard practice to optimize the IPs.

8159
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.