Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
zromano
Staff & Editor
Staff & Editor

Created on ‎10-29-2025 02:42 AM Edited on ‎11-05-2025 01:27 AM By Moderator

Article Id 417046

Troubleshooting Tip: Unable to create ISDB exceptions via CLI

Description This article describes why it is not possible to disable ISDB entries using the CLI.
Scope FortiGate.
Solution

ISDB exceptions can be added using the GUI by following this KB article: Technical Tip: How to Disable Specific IP Addresses or IP Address Ranges in ISDB Address Objects.

 

This will add an internet-service-extension to the configuration. For example, if an entry is disabled for the 'Malicious-Malicious.Server' object (ID=11337935):

 

FortiGate # show firewall internet-service-extension
config firewall internet-service-extension
    edit 11337935
        set comment ''
            config disable-entry
                edit 1
                    set protocol 6
                        config port-range
                            edit 1
                                set start-port 80
                                set end-port 80
                            next
                            edit 2
                                set start-port 443
                                set end-port 443
                            next
                        end
                        config ip-range
                            edit 1
                                set start-ip 1.0.166.79
                                set end-ip 1.0.166.79
                            next
                        end
                next
            end
    next
end

 

Note:

To check the ID for a specific ISDB group, the following commands can be used:


FortiGate # diagnose internet-service id | grep Malicious
ID: 11337935 name: "Malicious-Malicious.Server"

 

FortiGate # diagnose internet-service id | grep 11337935
ID: 11337935 name: "Malicious-Malicious.Server"


However, when trying to configure this manually from the CLI, it will return an error:

 

FortiGate # config firewall internet-service-extension
FortiGate (internet-service-extension) # edit 11337935
FortiGate (11337935) # config disable-entry
FortiGate (disable-entry) # edit 1
This table is internally maintained, not configurable by user
node_check_object fail! for id 1

value parse error before '1'
Command fail. Return code -61

 

ISDB.png

 

This is by design, as manually changing these entries via the CLI is considered highly error-prone. The only way to edit these ISDB objects is through the GUI.


Note: 

There is a known issue (ID 853352 in the release notes): when there are more than 100000 entries in an ISDB object, the GUI will get stuck when scrolling down the list.


This has been fixed in v7.6.4 and later releases, but it will not be fixed in v7.2.x or v7.4.x. In case exceptions need to be added to the ISDB objects with more than 100000 in v7.2 or v7.4, as a workaround, a policy with addresses (or address groups) as exceptions should be created, then placed in front of the policy with the ISDB object.
181
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.