While the new Internet Service Database in 5.4 is a useful reference indeed, it is frustrating that entries in it cannot be bound to firewall policies (at least not that I've found). You have service entries in there with thousands of IP address / port combinations that would be very useful to reference in policies, whereas you would normally be required to define all of those addresses as individual address objects in the configuration.
Are there any plans to allow us to use this new feature in policies? Or am I just missing the way to do it currently?
Solved! Go to Solution.
Hi,
Yes if you have a valid Fortiguard subscription. However, quality can be variable depending on the service.
Office 365, Microsoft publish all the changes in an RSS feed at least 30 days ahead of changes so quality is excellent.
On the other end of the spectrum, Netflix doesn't communicate and update are very reactive. Not a problem if you ban Netflix as the service won't be using only the additional IP and will be efficiently blocked but if you want to use it to allow and assign particular profile such as no SSL interception (as Netflix very sensitive to SSL) it's a big issue (and they keep using additional FQDN too so wildcard FQDN for exception as an alternative/top up need maintenance too).
Regards,
Stephane
mahesh p mohan wrote:Hi
i have used the policy in 5.6 in one of our customer fortigate 100E and found traffic in policy. they have issue when accessing AWS service with UTM profile.
but i have a question . fortigate internet service database will update automatically? or not ?
if a new ip use by AWS that will update in the database?
Regards
mahesh
Hi
i have used the policy in 5.6 in one of our customer fortigate 100E and found traffic in policy. they have issue when accessing AWS service with UTM profile.
but i have a question . fortigate internet service database will update automatically? or not ?
if a new ip use by AWS that will update in the database?
Regards
mahesh
Hi,
Yes if you have a valid Fortiguard subscription. However, quality can be variable depending on the service.
Office 365, Microsoft publish all the changes in an RSS feed at least 30 days ahead of changes so quality is excellent.
On the other end of the spectrum, Netflix doesn't communicate and update are very reactive. Not a problem if you ban Netflix as the service won't be using only the additional IP and will be efficiently blocked but if you want to use it to allow and assign particular profile such as no SSL interception (as Netflix very sensitive to SSL) it's a big issue (and they keep using additional FQDN too so wildcard FQDN for exception as an alternative/top up need maintenance too).
Regards,
Stephane
mahesh p mohan wrote:Hi
i have used the policy in 5.6 in one of our customer fortigate 100E and found traffic in policy. they have issue when accessing AWS service with UTM profile.
but i have a question . fortigate internet service database will update automatically? or not ?
if a new ip use by AWS that will update in the database?
Regards
mahesh
Yeah, known problem.
By now you could only use them in policy routing in order to decide which ISP to use for each "object".
In the next releases we hope that those objects could be used in FW Policies too.
Fingers crossed that some new functionality comes from it soon
Mike Pruett
Still no use in 5.4.2... Shame as a great idea but pointless until they can be used as address group (in firewall rules, SSL exception etc...)
SMabille wrote:Still no use in 5.4.2... Shame as a great idea but pointless until they can be used as address group (in firewall rules, SSL exception etc...)
It's already done in 5.6 code... Will be available on Beta 2...
Regards, Paulo Raponi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.