Description
FortiOS 6.2 introduces flexibility to tune Internet Service DB (ISDB) entries for different environments.
This article describes how a CLI option allows the admin to add custom port and port ranges into their predefined ISDB entries.
These objects cover relative ports by default, including but not limited to the following:
- 'Malicious-Malicious.Server' and 'Phishing-Phishing.Server' for Web services.
- 'Spam-Spamming.Server' for email services.
- 'VPN-Anonymous.VPN' for VPN services.
This allows for extending other ports to block more protocols or ports.
The new ports that will be added will not delete the old ports related to the internet service but will only extend to the existing ports.
Example: Port 1111 is added to the internet service 3604638 (GitHub-GitHub)
config firewall internet-service-addition
# edit 3604638
(3604638) # config entry
# edit 3
# set protocol 6
# config port-range
(port-range) # edit 3
new entry '3' added
# set start-port 1111
# set end-port 1111
# next
# end
- Check the Internet-service 3604638(GitHub-GitHub)
diag internet-service id 3604638
Internet Service: 3604638(GitHub-GitHub)
Version: 00007.03927
Timestamp: 202411051645
Number of Entries: 746
1.3.4.5-1.3.4.5 country(156) region(628) city(9028) blocklist(0x0) reputation(5), popularity(5) domain(1916) botnet(0) proto(6) port(443 80 1111) <<<------
1.3.4.5-1.3.4.5 country(156) region(628) city(9028) blocklist(0x0) reputation(5), popularity(5) domain(1916) botnet(0) proto(17) port(123 161 1194) <<<----
- The new port 1111 has been added to the Internet service 3604638(GitHub-GitHub), but only the existing port will remain on the service.
Scope
FortiOS 6.2 and above.
Solution
Use the CLI command #config firewall internet-service-addition in the global system to tune the ISDB of the user environment.
To add a custom port range in global:
config firewall internet-service-addition
edit 65646
set comment "Add custom port-range:tcp/8080-8090 into 65646"
config entry
edit 1
set protocol 6
config port-range
edit 1
set start-port 8080
set end-port 8090
next
end
next
end
next
end
The following warning will be received:
Configuration will only be applied after using the 'execute internet-service refresh' command or when the internet-service database updates.
Use the following command to apply the change:
execute internet-service refresh
Internet Service IPv4 refresh start ...
Start to initialize APP file.
Start to initialize MAP file.
Internet Service is refreshed.
Since v7.2, the command has changed to the following:
execute internet-service4 refresh
Internet Service IPv4 refresh start ...
Start to initialize APP file.
Start to initialize MAP file.
Internet Service is refreshed.
exe internet-service6 refresh
Internet Service IPv6 refresh start ...
Start to initialize APP file.
Start to initialize MAP file.
Internet Service is refreshed.
Use the following command to verify that the change was applied:
diagnose internet-service info
Please input <vdname> <protocol> <port> <ip> <priority-list>
diagnose internet-service info root 6 443 220.216.107.205
Internet Service: 65646(Google-Gmail) country(392 Japan) region(1906 Tokyo) city(24203 Tokyo)
Exception:
Most of the objects are customizable, with the exception of 'Botnet-C&C.Server' and 'Tor-Relay.Node'. These options use a different port with different IP addresses. As a result, the entries for each are 3-tuple of IP-protocol-port instead of an IP address range with the predefined port list.
Related articles:
7.2 Documentation
Technical Tip: Verifying which Internet Service database type and version installed on FortiOS-based...
Technical Tip: Error message 'ISDB001 is unauthorized' when running FortiGuard updates debug
