Description
Starting from V6.2, the system identifies the application ID by looking up the first IP 3-tuple in the ISDB and application CTRL cache, and then matches the ID in the rule list one by one from the top to the bottom.
This improves performance because it searches the database and cache one time only.
Solution
For example, the two IP addresses below both belong to the same ISDB category 327880 (Microsoft-Office365.Published) (ISDB ver 7.01406).
But IP address 52.113.195.132 is also identified as 'Microsoft.Teams' (application ID 43541) in application control list cache.
In such case, the matching result will be as follows:
40.126.52.150 (follows the rule "30")
52.113.195.132 (follows the rule "32)
# diagnose internet-service info root 6 443 40.126.52.150
Internet Service: 327880(Microsoft-Office365.Published)
# diagnose internet-service info root 6 443 52.113.195.132
Internet Service: 327880(Microsoft-Office365.Published)
# diagnose sys virtual-wan-link internet-service-app-ctrl-list
…
Microsoft.Teams(43541 4294837321): 52.113.195.132 6 443 Mon Mar 22 09:04:19 2021
# config system virtual-wan-link
...
# config service
edit 30
set name "SSLVPN-Test-1"
set src "SSLVPN_TUNNEL_ADDR1"
set internet-service enable
set internet-service-id 327880
set priority-members 2
next
edit 31
set name "SSLVPN-Test-2"
set src "SSLVPN_TUNNEL_ADDR1"
set internet-service enable
set internet-service-id 327880
set priority-members 1
next
edit 32
set name "SSLVPN-Test-3"
set dst "all"
set src "SSLVPN_TUNNEL_ADDR1"
set priority-members 1
next
...
edit 11
set name "teamsBackupToInternet"
set src "all"
set internet-service enable
set internet-service-id 327781
set internet-service-app-ctrl 43541 48977 48976 47822
set priority-members 1
next
...
end
The logic behind above matching result is as follows.
40.126.52.150 is identified as ISDB category Microsoft_Office365 (ISDB ID 327880).
The system searches the rules (with ISDB configured) one by one from top to bottom and finds the first match to be rule 30.
52.113.195.132 is identified as application category Microsoft Teams (application ID 43541) based on its existence in the internet-service-app-ctrl-list cache.
The system then searches the rules (with application control or rules without ISDB) one by one from top to bottom and finds the first match to be rule 32.
This is because rule 32 is the first rule without ISDB and it matches dst 'all'.
To force an IP address to be classified in ISDB category.
Internet-service-extension entry below can be configured to group the IP 52.113.195.132 under ISDB ID 327880 (Microsoft_Office365).
# config firewall internet-service-extension
edit 327880
set comment ''
# config entry
edit 1
set protocol 6
# config port-range
edit 1
set start-port 443
set end-port 443
next
end
set dst "dst_52.113.195.132"
next
end
next
end
Related Articles
Technical Tip: Routing in FortiGate (route-lookup-process)
