Description
This article describes the reason why there has been a significant increase in the number of entries associated to Internet Services starting with the Internet Services database version 6.0 and FortiOS 6.2 version.
It also provides some information regarding the set of CLI commands that should be used to verify the Internet Services configuration settings as well as their matchings.
Solution
In FortiOS 5.4, 5.6 and 6.0, an IP address is usually member of a single Internet Service ID at a time.
This can sometimes lead to issues when policing and routing is based on Internet Service IDs and the source and/or destination IP of traffic passing through the firewall belongs to another Internet Service ID than the one specified in the policy or routing rule e.g. Microsoft IP address ranges being used both for Office365 and Azure services.
Starting with FortiOS 6.2.0 and ISDB version 6.0, the Internet Service database associates all IP addresses of the vendors to the Internet Services while the services are automatically generated by FortiOS afterwards.
An IP address or IP address range can therefore belong to different Internet Services IDs.
As a consequence of this design change, there are globally far more entries associated to Internet Services with FortiOS 6.2.0 and above than it is the case with FortiOS versions before 6.0 and, this can lead to confusion when configuring Internet Services on pre and post FortiOS 6.2.0 versions.
The increase in the number of entries / IP ranges associated to the Internet Services is particularly significant for some Internet basic services such as Web, FTP, SSH, DNS, LDAP, etc. wherein, with FortiOS 6.0.x and below, those type of Internet basic services included only the set of IPs effectively corresponding to those services.
As an example, with an ISDB version of Version 7.01117, the number of entries / IP ranges displayed for the 'Google-DNS' Internet Service (ID 65539) is 118 with FortiOS 6.0.11 while it is 56709 with FortiOS 6.2.5.
Displaying 'Google-DNS' Internet Service information at FortiOS 6.0.11 GUI.
This article describes the reason why there has been a significant increase in the number of entries associated to Internet Services starting with the Internet Services database version 6.0 and FortiOS 6.2 version.
It also provides some information regarding the set of CLI commands that should be used to verify the Internet Services configuration settings as well as their matchings.
Solution
In FortiOS 5.4, 5.6 and 6.0, an IP address is usually member of a single Internet Service ID at a time.
This can sometimes lead to issues when policing and routing is based on Internet Service IDs and the source and/or destination IP of traffic passing through the firewall belongs to another Internet Service ID than the one specified in the policy or routing rule e.g. Microsoft IP address ranges being used both for Office365 and Azure services.
Starting with FortiOS 6.2.0 and ISDB version 6.0, the Internet Service database associates all IP addresses of the vendors to the Internet Services while the services are automatically generated by FortiOS afterwards.
An IP address or IP address range can therefore belong to different Internet Services IDs.
As a consequence of this design change, there are globally far more entries associated to Internet Services with FortiOS 6.2.0 and above than it is the case with FortiOS versions before 6.0 and, this can lead to confusion when configuring Internet Services on pre and post FortiOS 6.2.0 versions.
The increase in the number of entries / IP ranges associated to the Internet Services is particularly significant for some Internet basic services such as Web, FTP, SSH, DNS, LDAP, etc. wherein, with FortiOS 6.0.x and below, those type of Internet basic services included only the set of IPs effectively corresponding to those services.
As an example, with an ISDB version of Version 7.01117, the number of entries / IP ranges displayed for the 'Google-DNS' Internet Service (ID 65539) is 118 with FortiOS 6.0.11 while it is 56709 with FortiOS 6.2.5.
Displaying 'Google-DNS' Internet Service information at FortiOS 6.0.11 GUI.
Displaying 'Google-DNS' Internet Service information at FortiOS 6.0.11 CLI.
1) Displaying the ID corresponding to the 'Google-DNS”'Internet Service Name.
Note: The total number of IP addresses included in the two ranges is 178.
3) Displaying the full list of IP address ranges that are associated to each protocol and port of the 'Google-DNS' Internet Service.
5) Getting the Internet service matching a specific tuple (protocol – port – IP address).
Displaying 'Google-DNS' Internet Service information at FortiOS 6.2.5.
1) Displaying the ID corresponding to the 'Google-DNS”'Internet Service Name.
FGT # diagnose internet-service id-summary | grep Google-DNS2) Displaying a high level view of the number of IP address ranges and IP addresses that are associated to each protocol and port of the 'Google-DNS' Internet Service.
id: 65539 name: "Google-DNS"
FGT # config firewall internet-service 65539
FGT (65539) show
# config firewall internet-service 65539Note: The sum of ‘ip-range-number' value corresponds to the number of entries displayed at the GUI (118).
# config entry
edit 1
set protocol 6
set port 53
set ip-range-number 59 <----- 59 entries for protocol 6 and port 53.
set ip-number 89 <----- Corresponding number of IP addresses.
next
edit 2
set protocol 17
set port 53
set ip-range-number 59 <----- 59 entries for protocol 17 and port 53.
set ip-number 89 <----- Corresponding number of IP addresses.
next
end
end
Note: The total number of IP addresses included in the two ranges is 178.
3) Displaying the full list of IP address ranges that are associated to each protocol and port of the 'Google-DNS' Internet Service.
FGT # diagnose internet-service id 655394) Getting the list of Internet services matching a specific IP address.
Version: 00007.01117
Timestamp: 202010302231
Number of Entries: 2
Internet Service: 65539(Google-DNS)
Protocol: 6 Port: 53
IP range(59):
1.0.0.4-1.0.0.5
1.0.0.19-1.0.0.19
........
216.68.10.165-216.68.10.166
216.68.10.174-216.68.10.174
Protocol: 17 Port: 53
IP range(59):
1.0.0.4-1.0.0.5
1.0.0.19-1.0.0.19
........
216.68.10.165-216.68.10.166
216.68.10.174-216.68.10.174
FGT # diagnose internet-service match root 8.8.8.8 255.255.255.255Note: IP address 8.8.8.8/32 is associated to 2 Internet Services (Google-Web and Google-DNS).
Internet Service: 65537(Google-Web), matched num: 2
Internet Service: 65539(Google-DNS), matched num: 2
5) Getting the Internet service matching a specific tuple (protocol – port – IP address).
FGT # diagnose internet-service info root 6 53 8.8.8.8Note: If a protocol and a port are added to the '8.8.8.8' IP address, a single Internet Service matching (Google-DNS) is get.
Internet Service: 65539(Google-DNS)
Displaying 'Google-DNS' Internet Service information at FortiOS 6.2.5.
Displaying 'Google-DNS' Internet Service information at FortiOS 6.2.5 CLI.
1) Displaying the ID corresponding to the 'Google-DNS' Internet Service Name.
Note: The sum of “ip-range-number” and “extra-ip-range-number ‘’ value corresponds to the total number of IP ranges displayed at the GUI when opening the Internet Service detailed window (113418).
Note: The number of IP addresses included in all the IP ranges is 10979483.
3) Displaying the full list of IP address ranges that are associated to each protocol and port of the 'Google-DNS' Internet Service
Note: The 'number of IP ranges' value corresponds to the total number of entries displayed at the GUI when opening the Internet Service detailed window (113418).
4) Getting the list of Internet services matching a specific IP address.
1) Displaying the ID corresponding to the 'Google-DNS' Internet Service Name.
FGT # diagnose internet-service id-summary | grep Google-DNS2) Displaying a high level view of the number of IP address ranges and IP addresses that are associated to each protocol and port of the 'Google-DNS' Internet Service.
id: 65539 name: "Google-DNS"
FGT # config firewall internet-service 65539Note: The 'ip-range-number' value corresponds to the number of entries displayed at the GUI (56709).
FGT (65539) # show <----- Deprecated starting with FortiOS 6.2.0.
# config firewall internet-service 65539
end
FGT (65539) # get <----- Use 'get' command instead.
id : 65539
name : Google-DNS
reputation : 4
icon-id : 1
sld-id : 4
direction : dst
database : isdb
ip-range-number : 56709 <----- 56709 entries for protocol 6.
extra-ip-range-number: 56709 <----- 56709 entries for protocol 17.
ip-number : 10979483 <----- Corresponding number of IP addresses.
singularity : 6
obsolete : 0
Note: The sum of “ip-range-number” and “extra-ip-range-number ‘’ value corresponds to the total number of IP ranges displayed at the GUI when opening the Internet Service detailed window (113418).
Note: The number of IP addresses included in all the IP ranges is 10979483.
3) Displaying the full list of IP address ranges that are associated to each protocol and port of the 'Google-DNS' Internet Service
FGT # diagnose internet-service id 65539
Internet Service: 65539(Google-DNS)
Version: 00007.01117
Timestamp: 202010302238
Number of IP ranges: 113418 <----- Overall number of IP ranges.
1.0.0.4-1.0.0.5 geo_id(19585) black list(0x0) proto(6) port(53)
1.0.0.4-1.0.0.5 geo_id(19585) black list(0x0) proto(17) port(53)
1.0.0.19-1.0.0.19 geo_id(19585) black list(0x0) proto(6) port(53)
1.0.0.19-1.0.0.19 geo_id(19585) black list(0x0) proto(17) port(53)
1.0.0.30-1.0.0.30 geo_id(19585) black list(0x0) proto(6) port(53)
1.0.0.30-1.0.0.30 geo_id(19585) black list(0x0) proto(17) port(53)
.........
223.255.229.175-223.255.229.175 geo_id(29584) black list(0x0) proto(6) port(53)
223.255.229.175-223.255.229.175 geo_id(29584) black list(0x0) proto(17) port(53)
223.255.229.178-223.255.229.180 geo_id(29584) black list(0x0) proto(6) port(53)
223.255.229.178-223.255.229.180 geo_id(29584) black list(0x0) proto(17) port(53)
223.255.229.182-223.255.229.184 geo_id(29584) black list(0x0) proto(6) port(53)
223.255.229.182-223.255.229.184 geo_id(29584) black list(0x0) proto(17) port(53)
223.255.229.186-223.255.229.186 geo_id(29584) black list(0x0) proto(6) port(53)
223.255.229.186-223.255.229.186 geo_id(29584) black list(0x0) proto(17) port(53)
Note: The 'number of IP ranges' value corresponds to the total number of entries displayed at the GUI when opening the Internet Service detailed window (113418).
4) Getting the list of Internet services matching a specific IP address.
FGT # diagnose internet-service match root 8.8.8.8 255.255.255.255Note: IP address 8.8.8.8/32 is associated to 14 Internet Services which are sorted from the highest to the lowest singularity value.
Internet Service: 10748089(DNS-DoH_DoT), matched num: 2
Internet Service: 65537(Google-Web), matched num: 4
Internet Service: 65538(Google-ICMP), matched num: 1
Internet Service: 65539(Google-DNS), matched num: 2
Internet Service: 65540(Google-Outbound_Email), matched num: 4
Internet Service: 65542(Google-SSH), matched num: 1
Internet Service: 65543(Google-FTP), matched num: 2
Internet Service: 65544(Google-NTP), matched num: 2
Internet Service: 65545(Google-Inbound_Email), matched num: 4
Internet Service: 65550(Google-LDAP), matched num: 4
Internet Service: 65551(Google-NetBIOS.Session.Service), matched num: 2
Internet Service: 65552(Google-RTMP), matched num: 2
Internet Service: 65560(Google-NetBIOS.Name.Service), matched num: 1
Internet Service: 65536(Google-Other), matched num: 2
As a reminder, 8.8.8.8/32 was associated to only 2 Internet Services with FortiOS 6.0.11.
5) Getting the Internet service matching a specific tuple (protocol – port – IP address)
In case there are several Internet Services matching a tuple, the Internet Service with the highest singularity is selected in priority
In conclusion, despite of the significant increase in the number of entries / IP ranges globally associated to Internet Services, the Internet Service that is finally associated to a specific tuple is identical in between pre and post FortiOS 6.2 versions.
5) Getting the Internet service matching a specific tuple (protocol – port – IP address)
FGT # diagnose internet-service info root 6 53 8.8.8.8Note: If a protocol and a port are added to the '8.8.8.8' IP address, the resulting tuple effectively matches the same Internet Service than with FortiOS 6.0.11 i.e. 'Google-DNS'.
Internet Service: 65539(Google-DNS)
In case there are several Internet Services matching a tuple, the Internet Service with the highest singularity is selected in priority
In conclusion, despite of the significant increase in the number of entries / IP ranges globally associated to Internet Services, the Internet Service that is finally associated to a specific tuple is identical in between pre and post FortiOS 6.2 versions.
