FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to restrict service ports for certain ISDB object, in firewall policy there is no option to specify service port once select ISDB object and the service port is controlled within ISDB object.
Solution Change can be made from CLI as below, in this guide we use Microsoft Azure as an example.
223.223.168.88-223.223.168.88 geo_id(25500) black list(0x0) proto(6) port(1-65535) 223.223.168.88-223.223.168.88 geo_id(25500) black list(0x0) proto(17) port(1-65535) 223.223.168.91-223.223.168.91 geo_id(25500) black list(0x0) proto(6) port(1-65535) 223.223.168.91-223.223.168.91 geo_id(25500) black list(0x0) proto(17) port(1-65535)
3) Define the require port.
# config firewall internet-service-addition edit 327786 set comment '' # config entry edit 1 set protocol 6 <----- Protocol type (6 = TCP , 17 = UDP). # config port-range edit 1 set start-port 443 set end-port 443 next edit 2 set start-port 80 set end-port 80 next end next end next end
4) Restart internet-service service in order to take effective.
# execute internet-service refresh
It takes a while to reload and is expected to see the console freeze a moment.
