Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
simonz_FTNT
Staff & Editor
Staff & Editor

Created on ‎10-19-2020 11:20 PM Edited on ‎01-20-2026 10:56 AM By Community Manager

Article Id 191863

Technical tip: Customize ISDB based on ports or GEO location

Description

 

This article describes how to restrict service ports or GEO location for certain ISDB object, in firewall policy there is no option to specify service port or GEO location once select ISDB object and these are controlled within ISDB object.

 

Scope

 

FortiGate.

Solution


Customise based on service ports

Changes can only be made from the CLI as below. This guide uses Microsoft Azure as an example.

  1. Find the ID for the ISDB object.

 

diagnose internet-service id-summary | grep Azure

id: 327786 name: "Microsoft-Azure"

 

  1. To view current ports configured:

diagnose internet-service id 327786

223.223.168.88-223.223.168.88 geo_id(25500) black list(0x0) proto(6) port(1-65535)
223.223.168.88-223.223.168.88 geo_id(25500) black list(0x0) proto(17) port(1-65535)
223.223.168.91-223.223.168.91 geo_id(25500) black list(0x0) proto(6) port(1-65535)
223.223.168.91-223.223.168.91 geo_id(25500) black list(0x0) proto(17) port(1-65535)

 

  1. Define the required port.

 

config firewall internet-service-addition

edit 327786

set comment ''

config entry

edit 1

set protocol 6          <- Protocol type (6 = TCP , 17 = UDP).

config port-range

edit 1

set start-port 443

set end-port 443

next

edit 2

set start-port 80

set end-port 80

next

end

next

end

next

end

 

  1. Restart the 'internet-service' service to make the changes take effect.

 

execute internet-service refresh

 

Note:

Starting from FortiOS v7.2.4, the command above has been updated to:

 

execute internet-service4 refresh

execute internet-service6 refresh

 

Example output:

 

image (43).png

 

It takes a while to reload, and it is expected that the console will freeze for a moment. Below is the output after the changes:

 

223.223.168.88-223.223.168.88 country(116) region(1450) city(18489) blacklist(0x0) reputation(4), domain(5) popularity(152) botnet(0) proto(6) port(80 443)
223.223.168.88-223.223.168.88 country(116) region(1450) city(18489) blacklist(0x0) reputation(4), domain(5) popularity(152) botnet(0) proto(17) port(1-65535)
223.223.168.91-223.223.168.91 country(116) region(1450) city(18489) blacklist(0x0) reputation(4), domain(5) popularity(152) botnet(0) proto(6) port(80 443)
223.223.168.91-223.223.168.91 country(116) region(1450) city(18489) blacklist(0x0) reputation(4), domain(5) popularity(152) botnet(0) proto(17) port(1-65535)


Customize based on GEO location:


Internet databases can be also filtered by country and region. Changes can only be made from the CLI as below. This guide uses Microsoft Azure whose IP is from city of Arizona, California, US as an example.

 

config firewall internet-service-name
    edit "Azure-US"
        set type location
        set internet-service-id 327786
        set country-id 840 <----- Used '?' to find the country ID.
        set region-id 283   <----- Used '?' to find the region ID.
        set city-id  111 <----- Used '?' to find the city ID.
    next
end

 

Related article:

Technical Tip: Internet Service Customization

Labels:
4964
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.