FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjawalekar
Staff
Staff
Article Id 241077
Description This article describes that from v6.2, the IP address might be part of different ISDB objects.
Scope FortiGate v6.2 and above,
Solution

The traffic is matched based on the 3-tuple (protocol, port, IP).

This also introduces the 'singularity' value that means the highest weight, i.e. which ISDB object will be matched based on the 3-tuple.

 

  • Below is the SD-WAN rule configured with two ISDB destination objects:  

 

1.png

 

  • The ISDB object that will be matched can be checked with the following command:

 

chameleon-kvm14 # diagnose internet-service info root 6 443 40.101.76.130
Internet Service: 327880(Microsoft-Office365.Published) country(40 Austria) region(2028 Vienna) city(25332 Vienna)

 

  • The singularity value is displayed in the output of a particular ISDB object, it is possible to verify the same with get command as below:

 

chameleon-kvm14 # config firewall internet-service 327880

chameleon-kvm14 (327880) # get
id : 327880
name : Microsoft-Office365.Published
icon-id : 502
direction : both
database : isdb
ip-range-number : 7278
extra-ip-range-number: 7278
ip-number : 2570488
singularity : 17
obsolete : 0

 

chameleon-kvm14 # config firewall internet-service 327791

chameleon-kvm14 (327791) # get
id : 327791
name : Microsoft-Outlook
icon-id : 511
direction : both
database : isdb
ip-range-number : 7404
extra-ip-range-number: 0
ip-number : 1654227
singularity : 15
obsolete : 0

 

  • The below session list output shows that the ISDB object 327880 with a higher singularity value is a match:

 

diagnose sys session filter src 10.100.13.195
diagnose sys session list

session info: proto=6 proto_state=01 duration=1 expire=3598 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=1915/8/1 reply=18094/16/1 tuples=2
tx speed(Bps/kbps): 1075/8 rx speed(Bps/kbps): 10165/81
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=10.5.31.254/10.100.13.195
hook=post dir=org act=snat 10.100.13.195:54752->40.126.32.139:443(10.5.21.14:54752)
hook=pre dir=reply act=dnat 40.126.32.139:443->10.5.21.14:54752(10.100.13.195:54752)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
serial=3bc414c0 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=1 sdwan_service_id=1
rpdb_link_id=ff000001 rpdb_svc_id=327880 ngfwid=n/a
npu_state=0x040000
total session 31