hi,
i got a FW policy which includes blocking ISDB address group/objects, i.e. botnet, cnc, phishing, spam, etc.
the FW policy install from FGM failed after i tried 3x times.
FW01 (16) $ set internet-service-name "Blockchain-Crypto.Mining.Pool" "Botnet-C&C.Server" "Malicious-Malicious.Server" "Phishing-Phishing.Server" "Spam-Spamming.Server" "Tor-Relay.Node" "VPN-Anonymous.VPN"
entry not found in datasource
value parse error before 'VPN-Anonymous.VPN'
Command fail. Return code -3
FW01 (16) $ next
Must set internet service, internet service group, dynamicnetwork service, custom internet service or custom internet service group for destination.
object check operator error, -56, discard the setting
per checking forticloud, the fortiguard service/feature entitlement are down/red. my questions are:
1.do you need a valid warrantly/entitilment for ISDB to work?
2.do you need to have a count under the 'number of entries' for the ISDB IP reputation DB.
3.does 1 and 2 above need to be working before i'm able to install the FW policy using the ISDB address/objects?
Internet-service Full Database <<< FW having issue
---------
Version: 0.00000
Contract Expiry Date: n/a
Last Updated using manual update on Mon Jan 1 00:00:00 2001
Last Update Attempt: Mon Jan 15 09:24:14 2024
Result: Unauthorized
-----
Internet-service Full Database !! WORKING FW
---------
Version: 7.03527 signed
Contract Expiry Date: n/a
Last Updated using scheduled update on Fri Jan 12 00:28:51 2024
Last Update Attempt: Mon Jan 15 09:28:12 2024
Result: No Updates
Solved! Go to Solution.
Hello John,
Thank you for your inquiry. I will try to answer your questions in the same order:
1- If there is no active or valid ISDB license The fortigate will use its internal database and not be able to contact fortiguard to update or download the ISDB. The fortigate ISDB is limited and does not include a full list of ISDB and without fortiguard updates it is save to say it will be outdated and incorrect on many address objects therefore, it is not recommended to be jused for operation.
2- The count of entries is not required to setup the policy but simply means that object have 0 addresses therefore cannot be used.
3- You can create a firewall policy using the ISDB as destination however without valid ISDB license the ISDB objects will be coming from the fortigate itself. If this is a lower-end model the fortios will have a mini database that does not really have much in it for reasons of saving memory resources on such fortigate models.
Thank you,
saleha
Hello John,
Thank you for your inquiry. I will try to answer your questions in the same order:
1- If there is no active or valid ISDB license The fortigate will use its internal database and not be able to contact fortiguard to update or download the ISDB. The fortigate ISDB is limited and does not include a full list of ISDB and without fortiguard updates it is save to say it will be outdated and incorrect on many address objects therefore, it is not recommended to be jused for operation.
2- The count of entries is not required to setup the policy but simply means that object have 0 addresses therefore cannot be used.
3- You can create a firewall policy using the ISDB as destination however without valid ISDB license the ISDB objects will be coming from the fortigate itself. If this is a lower-end model the fortios will have a mini database that does not really have much in it for reasons of saving memory resources on such fortigate models.
Thank you,
saleha
thanks!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.