Description
When configured custom internet services overlap or one object is subset of another like the following example:
# config firewall internet-service-custom
edit "custom-1"
set reputation 3
set comment ''
# config entry
edit 1
set protocol 6
# config port-range
edit 1
set start-port 80
set end-port 80
next
end
set dst "web-server"
next
end
next
edit "custom-2"
set reputation 3
set comment ''
# config entry
edit 1
set protocol 6
# config port-range
edit 1
set start-port 80
set end-port 80
next
end
set dst "web-server"
next
end
next
end
The use of these objects in policy will result in unexpected behavior.
When used one object the policy is matched, but when another object is used in policy the policy is not matched.
Solution
The behavior is expected.
The 3T (IP address, protocol, port) should uniquely match one object.
The overlap in custom internet service objects should be avoided.
Alternatively, traditional service + address configuration can be used in policy.
Related Articles
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.