FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jangelis
Staff
Staff
Article Id 191377

Description
When configured custom internet services overlap or one object is subset of another like the following example:

# config firewall internet-service-custom
    edit "custom-1"
        set reputation 3
        set comment ''
        # config entry
            edit 1
                set protocol 6
                # config port-range
                    edit 1
                        set start-port 80
                        set end-port 80
                    next
                end
                set dst "web-server"
            next
        end
    next
    edit "custom-2"
        set reputation 3
        set comment ''
        # config entry
            edit 1
                set protocol 6
                # config port-range
                    edit 1
                        set start-port 80
                        set end-port 80
                    next
                end
                set dst "web-server"
            next
        end
    next
end

The use of these objects in policy will result in unexpected behavior.
When used one object the policy is matched, but when another object is used in policy the policy is not matched.

Solution
The behavior is expected.
The 3T (IP address, protocol, port) should uniquely match one object.

The overlap in custom internet service objects should be avoided.
Alternatively, traditional service + address configuration can be used in policy.

Related Articles

Technical Tip: Using custom internet service in policy

Contributors