FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes that some users might face an issue where traffic is being denied even though it is being allowed by firewall policy to have and ISDB object.
Scope
FortiGate.
Solution
Some ISDB objects share the same IP/Port/Protocol. As an example, Microsoft Services include 'Office 365, Outlook, Mail, Azure, etc...'
diag internet-service info root tcp 25 52.101.68.10 Internet Service: 327880(Microsoft-Office365.Published) country(372 Ireland) region(444 (null)) city(6325 Dublin) Internet Service: 327903(Microsoft-Office365.Published.Allow) country(372 Ireland) region(444 (null)) city(6325 Dublin) Internet Service: 327791(Microsoft-Outlook) country(372 Ireland) region(444 (null)) city(6325 Dublin) Internet Service: 327786(Microsoft-Azure) country(372 Ireland) region(444 (null)) city(6325 Dublin)
As multiple ISDB objects can share the same IP/Port/Protocols the FortiGate will support up to 4 ISDB objects with the same service.
The priority for the ISDB objects will depend on their Usage in the firewall policies. So the first 4 used ISDB objects that share the same service should be prioritized depending on the environment for the traffic to hit the correct policy.
