Description
This article describes that in FortiOS 6.2, the behavior of the ISDB has changed. The IP address can be part of several services.
The following policy should allow traffic to Microsoft outlook service based on ISDB object 'Microsoft-Outlook':
# config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set internet-service enable
set internet-service-id 327791 <----- Microsoft-Outlook
set action accept
set schedule "always"
set fsso disable
set nat enable
next
end
Checking one particular IP address is part of the ISDB object:
FGT # diagnose internet-service match root 40.101.76.130 255.255.255.255
Internet Service: 327880(Microsoft-Office365.Published), matched num: 12
Internet Service: 327791(Microsoft-Outlook), matched num: 1
...
But the traffic is not allowed based on the Microsoft-Outlook (327791):
trace_id=1 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=6, 192.168.0.100:50806->40.101.76.130:443) from internal. flag [S], seq 590061547, ack 0, win 8192"
id=20085 trace_id=1 func=init_ip_session_common line=5625 msg="allocate a new session-00002df1"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-92.0.2.1 via wan1"
id=20085 trace_id=1 func=fw_forward_handler line=636 msg="Denied by forward policy check (policy 0)"
This article explains how to allow the traffic.
Solution
From the FortiOS version 6.2, the IP address might be part of different ISDB objects.
The traffic is matched based on the 3-tuple (protocol, port, IP).
This also introduces the “singularity” value that means the highest weight, i.e. which ISDB object will be matched based on the 3-tuple.
ISDB object that will be matched can be checked with the following command:
FGT # diagnose internet-service info root 6 443 40.101.76.130
Internet Service: 327880(Microsoft-Office365.Published)
This ISDB service is matched because it has highest singularity value.
To allow the traffic, the Microsoft-Office365.Published (327880) must be added to the policy:
# config firewall policy
edit 1
set name "1"
set uuid 00e09d82-1459-51ea-05bb-b37390d7241b
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set internet-service enable
set internet-service-id 327880 327791
set action accept
set schedule "always"
set fsso disable
set nat enable
next
end
And debug flow shows that correct policy is being matched:
id=20085 trace_id=10 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=6, 192.168.0.100:50887->40.101.76.130:443) from internal. flag [S], seq 427857638, ack 0, win 8192"
id=20085 trace_id=10 func=init_ip_session_common line=5625 msg="allocate a new session-000037fe"
id=20085 trace_id=10 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-92.0.2.1 via wan1"
id=20085 trace_id=10 func=fw_forward_handler line=783 msg="Allowed by Policy-1: SNAT"
id=20085 trace_id=10 func=__ip_session_run_tuple line=3241 msg="SNAT 192.168.0.100->92.0.2.2:50887"
In newer Fortios version or newer ISDB version the IP address might be part of different/multiple ISDB objects and setting the service-id in firewall policies also not configureable but the new option service-name is available like (set internet-service-name "Dropbox-DNS" "Dropbox-Web"). But some time access the same ISDB IP is also part of other servces, let say IP 216.137.44.64 is part of multple ISDB services and in this case we have to add all internet services of the related IP inside the policy or add only the service name with highest weight/singularity becuase from FortiOS 6.2, one 3-tuple is allowed in multiple ISDB objects because weight is assigned to them so that FortiOS can make a choice based on the weight value to find the singularity of a services use the following commands!
# diagnose internet-service info root 6 443 216.137.44.64
Internet Service: 7405697(Lifesize-Lifesize.Cloud) country(826 United Kingdom) region(529 England) city(13685 London)
Internet Service: 720897(Dropbox-Web) country(826 United Kingdom) region(529 England) city(13685 London)
Internet Service: 393320(Amazon-AWS) country(826 United Kingdom) region(529 England) city(13685 London)
Internet Service: 393217(Amazon-Web) country(826 United Kingdom) region(529 England) city(13685 London)
From the above command output, the 216.137.44.64 is part of 4 different services and now it is necessary to see the singularity of each service using the command:
FGT# config firewall internet-service 7405697
FGT (7405697) # get
id : 7405697
name : Lifesize-Lifesize.Cloud
icon-id : 113
direction : dst
database : isdb
ip-range-number : 3481
extra-ip-range-number: 3481
ip-number : 3940
singularity : 15
obsolete : 0
In the same way, it is possible to find the singularity of each service, after finding the singularity now it is possible to check the firewall policy to see if the firewall has the highest singularity service name then it will work and if the firewall policy has lower singularity service name inside the policy the traffic will not match.
So let's say if service 'Dropbox-Web' has been added to a policy and see it is not working and in logs, the destination IP is 216.137.44.64, it is necessary to find out the singularity and add/append this service into the firewall policy.
# config firewall policy
edit 1
set name "test"
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set internet-service enable
set internet-service-name "Dropbox-DNS" "Dropbox-Other" "Dropbox-Web" "Lifesize-Lifesize.Cloud"
set action accept
set schedule "always"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
Related article:
Technical Tip: ISDB common admin operations
