Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
johnlloyd_13
Contributor

Created on ‎01-15-2024 02:04 AM Edited on ‎01-15-2024 02:21 AM

FW Policy install failed - ISDB update

hi,

i got a FW policy which includes blocking ISDB address group/objects, i.e. botnet, cnc, phishing, spam, etc.

the FW policy install from FGM failed after i tried 3x times.

 

FW01 (16) $ set internet-service-name "Blockchain-Crypto.Mining.Pool" "Botnet-C&C.Server" "Malicious-Malicious.Server" "Phishing-Phishing.Server" "Spam-Spamming.Server" "Tor-Relay.Node" "VPN-Anonymous.VPN"
entry not found in datasource

value parse error before 'VPN-Anonymous.VPN'
Command fail. Return code -3
FW01 (16) $ next
Must set internet service, internet service group, dynamicnetwork service, custom internet service or custom internet service group for destination.
object check operator error, -56, discard the setting

 

image.png

per checking forticloud, the fortiguard service/feature entitlement are down/red. my questions are:

1.do you need a valid warrantly/entitilment for ISDB to work?

2.do you need to have a count under the 'number of entries' for the ISDB IP reputation DB.

3.does 1 and 2 above need to be working before i'm able to install the FW policy using the ISDB address/objects?

 

Internet-service Full Database   <<< FW having issue

---------

Version: 0.00000

Contract Expiry Date: n/a

Last Updated using manual update on Mon Jan  1 00:00:00 2001

Last Update Attempt: Mon Jan 15 09:24:14 2024

Result: Unauthorized

 

image.png

 

-----

 

Internet-service Full Database    !! WORKING FW
---------
Version: 7.03527 signed
Contract Expiry Date: n/a
Last Updated using scheduled update on Fri Jan 12 00:28:51 2024
Last Update Attempt: Mon Jan 15 09:28:12 2024
Result: No Updates

 

image.png

Thanks,
John
Thanks,John
Labels:
476
0 Kudos
1 Solution
saleha
Staff
Staff

Created on ‎01-15-2024 06:40 AM

Hello John,

 

Thank you for your inquiry. I will try to answer your questions in the same order:
1- If there is no active or valid ISDB license The fortigate will use its internal database and not be able to contact fortiguard to update or download the ISDB. The fortigate ISDB is limited and does not include a full list of ISDB and without fortiguard updates it is save to say it will be outdated and incorrect on many address objects therefore, it is not recommended to be jused for operation.

2- The count of entries is not required to setup the policy but simply means that object have 0 addresses therefore cannot be used.

3- You can create a firewall policy using the ISDB as destination however without valid ISDB license the ISDB objects will be coming from the fortigate itself. If this is a lower-end model the fortios will have a mini database that does not really have much in it for reasons of saving memory resources on such fortigate models.

 

Thank you,

saleha

View solution in original post

442
2 REPLIES 2
saleha
Staff
Staff

Created on ‎01-15-2024 06:40 AM

Hello John,

 

Thank you for your inquiry. I will try to answer your questions in the same order:
1- If there is no active or valid ISDB license The fortigate will use its internal database and not be able to contact fortiguard to update or download the ISDB. The fortigate ISDB is limited and does not include a full list of ISDB and without fortiguard updates it is save to say it will be outdated and incorrect on many address objects therefore, it is not recommended to be jused for operation.

2- The count of entries is not required to setup the policy but simply means that object have 0 addresses therefore cannot be used.

3- You can create a firewall policy using the ISDB as destination however without valid ISDB license the ISDB objects will be coming from the fortigate itself. If this is a lower-end model the fortios will have a mini database that does not really have much in it for reasons of saving memory resources on such fortigate models.

 

Thank you,

saleha

443
johnlloyd_13
Contributor

Created on ‎01-15-2024 04:01 PM

thanks!

Thanks,
John
Thanks,John
412
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.