FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
simonz_FTNT
Staff
Staff
Description
This article describes how to restrict service ports for certain ISDB object, in firewall policy there is no option to specify service port once select ISDB object and the service port is controlled within ISDB object.

Solution
Change can be made from CLI as below, in this guide we use Microsoft Azure as an example.

1) Find the ID for the ISDB object.
# diagnose internet-service id-summary | grep Azure
id: 327786 name: "Microsoft-Azure"
2) To view current ports configured.
# diagnose internet-service id 327786

223.223.168.88-223.223.168.88 geo_id(25500) black list(0x0) proto(6) port(1-65535)
223.223.168.88-223.223.168.88 geo_id(25500) black list(0x0) proto(17) port(1-65535)
223.223.168.91-223.223.168.91 geo_id(25500) black list(0x0) proto(6) port(1-65535)
223.223.168.91-223.223.168.91 geo_id(25500) black list(0x0) proto(17) port(1-65535)
3) Define the require port.
# config firewall internet-service-addition
    edit 327786
        set comment ''
        # config entry
            edit 1
                set protocol 6          <----- Protocol type (6 = TCP , 17 = UDP).
                # config port-range
                    edit 1
                        set start-port 443
                        set end-port 443
                    next
                    edit 2
                        set start-port 80
                        set end-port 80
                    next
                end
           next
        end
    next
end

4) Restart internet-service service in order to take effective.
# execute internet-service refresh
It takes a while to reload and is expected to see the console freeze a moment.

Below is output after the changes:
223.223.168.88-223.223.168.88 country(116) region(1450) city(18489) blacklist(0x0) reputation(4), domain(5) popularity(152) botnet(0) proto(6) port(80 443)
223.223.168.88-223.223.168.88 country(116) region(1450) city(18489) blacklist(0x0) reputation(4), domain(5) popularity(152) botnet(0) proto(17) port(1-65535)
223.223.168.91-223.223.168.91 country(116) region(1450) city(18489) blacklist(0x0) reputation(4), domain(5) popularity(152) botnet(0) proto(6) port(80 443)
223.223.168.91-223.223.168.91 country(116) region(1450) city(18489) blacklist(0x0) reputation(4), domain(5) popularity(152) botnet(0) proto(17) port(1-65535)

Contributors