FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jangelis
Staff
Staff
Description
In FortiOS 6.2, the behavior of the ISDB has changed. The IP address can be part of several services.
The following policy should allow traffic to Microsoft outlook service based on ISDB object "Microsoft-Outlook"
#config firewall policy
    edit 1
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "all"
        set internet-service enable
        set internet-service-id 327791        <----- Microsoft-Outlook
        set action accept
        set schedule "always"
        set fsso disable
        set nat enable
    next
end
Checking one particular IP address is part of the ISDB object
FGT # diagnose internet-service match root 40.101.76.130 255.255.255.255
Internet Service: 327880(Microsoft-Office365.Published), matched num: 12
Internet Service: 327791(Microsoft-Outlook), matched num: 1
...
But the traffic is not allowed based on the Microsoft-Outlook (327791):
trace_id=1 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=6, 192.168.0.100:50806->40.101.76.130:443) from internal. flag [S], seq 590061547, ack 0, win 8192"
id=20085 trace_id=1 func=init_ip_session_common line=5625 msg="allocate a new session-00002df1"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-92.0.2.1 via wan1"
id=20085 trace_id=1 func=fw_forward_handler line=636 msg="Denied by forward policy check (policy 0)"
This article explains how to allow the traffic.

Solution
From the FortiOS version 6.2, the IP address might be part of different ISDB objects.

The traffic is matched based on the 3-tuple (protocol, port, IP).

This also introduces the “singularity” value that means the highest weight, i.e. which ISDB object will be matched based on the 3-tuple.

ISDB object that will be matched can be checked with the following command:

FGT # diagnose internet-service info root 6 443 40.101.76.130
Internet Service: 327880(Microsoft-Office365.Published)
This ISDB service is matched because it has highest singularity value.

To allow the traffic, the Microsoft-Office365.Published (327880) must be added to the policy:
#config firewall policy
    edit 1
        set name "1"
        set uuid 00e09d82-1459-51ea-05bb-b37390d7241b
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set internet-service enable
        set internet-service-id 327880 327791
        set action accept
        set schedule "always"
        set fsso disable
        set nat enable
    next
end
And debug flow shows that correct policy is being matched:
id=20085 trace_id=10 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=6, 192.168.0.100:50887->40.101.76.130:443) from internal. flag [S], seq 427857638, ack 0, win 8192"
id=20085 trace_id=10 func=init_ip_session_common line=5625 msg="allocate a new session-000037fe"
id=20085 trace_id=10 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-92.0.2.1 via wan1"
id=20085 trace_id=10 func=fw_forward_handler line=783 msg="Allowed by Policy-1: SNAT"
id=20085 trace_id=10 func=__ip_session_run_tuple line=3241 msg="SNAT 192.168.0.100->92.0.2.2:50887"
The singularity value is displayed in the output of particular ISDB object:
FGT # config firewall internet-service 327880

FGT (327880) # get

id                  : 327880
name                : Microsoft-Office365.Published
reputation          : 5
icon-id             : 502
sld-id              : 135
direction           : both
database            : isdb
ip-range-number     : 3192
extra-ip-range-number: 3192
ip-number           : 2438320
singularity         : 16            
obsolete            : 0

Related Articles

Technical Tip: ISDB common admin operations

Contributors