I need some clarification on the best way to do this. Our company has a policy that servers do not get Internet access, except to a list of permitted websites. This works well when the Destination object is an FQDN with a couple of IP addresses behind it, but it falls down when the destination is hosted in a cloud like AWS. I believe the FortiGate fails to get the full list of IPs that could be behind a given FQDN and traffic is randomly dropped at times.
We opened a ticket with support in the past and the recommend solution was to use a Web Filters instead, but this opens an entirely new set of issues. If I have a web filter with everything set to deny, except for a list of allowed URLS, processing of firewall policies stop at the policy with the web filter defined, and the server gets the Blocked by Fortigate Screen. What I would like is for the firewall to treat that policy as a no match and continue down the list of policies.
I'd prefer not to have one massive web filter for every external website. I'd like it to be granular and have one policy with a web filter to allow access to AV Updates, another policy with web filter for access to the SIEM, etc.
I appreciate the response. I tested policies using the Internet Services as a destination and the success with them has been hit or miss. A good example would be Rapid7. We're in process of deploying it now and I was happy to see an Internet Service for them, however the agents failed to install with this policy in place. It took setting up a packet capture and analyzing the DNS queries, then subsequent requests, to find the resource that couldn't be reached.
I'll research them in more depth as I do see them as a great benefit. Does anyone know if Fortinet has a portal that requests can be submitted to for ISDB updates? In the Rapid7 example above, I believe they need to add amazontrust.com so the agent install succeeds.