Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IrbkOrrum
Contributor

Created on ‎04-01-2025 06:06 AM

Inbound rules based on URL.

We've got some development that's going on in Azure which makes a call to our internal servers.  I've got the "source" inbound rule pointing to a VIP and restricted to traffic coming from 

*.azure-api.net

*.microsoft.com

*.slope.io

The problem is with something like apimanagement-cors-proxy-prd.azure-api.net depending on what IP that resolves to, the firewall may or may not allow traffic coming from that URL.  As I understand it from FortiNet support, this is "expected" behavior.  IE if the firewall has resolved apimanagement-cors-proxy-prd.azure-api.net to be 13.91.254.72 and the traffic is coming from 13.91.254.72, then the traffic will be allowed in.  However if traffic coming from apimanagement-cors-proxy-prd.azure-api.net is coming from 20.121.82.216 and the firewall hasn't resolved 20.121.82.216 as a valid IP for apimanagement-cors-proxy-prd.azure-api.net then the traffic won't be allowed in.  
The only other option would be to allow Azure traffic via IPs but that's a list of 1000's of IPs that change weekly and that's not really a sustainable solution.  
How do you work around this issue?

 

Labels:
204
0 Kudos
1 Solution
AEK
SuperUser
SuperUser

Created on ‎04-01-2025 07:27 AM

Did you check if ISDB as source can help in your case?

AEK

View solution in original post

AEK
184
0 Kudos
8 REPLIES 8
AEK
SuperUser
SuperUser

Created on ‎04-01-2025 07:27 AM

Did you check if ISDB as source can help in your case?

AEK
AEK
185
0 Kudos
IrbkOrrum
Contributor
In response to AEK

Created on ‎04-01-2025 07:29 AM

I'm unfamiliar with what ISDB is?  Please explain.

181
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎04-01-2025 07:37 AM

In your inbound rule, you select "Internet Service" as source, instead of FQDN. Then try to find azure-api and others if they exist. In case they don't exist in the DB then forget about this solution.

 

isdb.png

AEK
AEK
175
0 Kudos
IrbkOrrum
Contributor
In response to AEK

Created on ‎04-01-2025 07:43 AM

I've never used this feature before!  This is kind of awesome.  Doing some research it looks like you could look up the service via a CLI command
diagnose internet-service match <vdom-name> <ip> <netmask>
IE
diagnose internet-service match root 20.121.82.216 255.255.255.255
which returns a list like so:
Internet Service: 327786(Microsoft-Azure), matched entry num: 2, matched num: 2
Internet Service: 327681(Microsoft-Web), matched entry num: 4, matched num: 4
Internet Service: 327682(Microsoft-ICMP), matched entry num: 1, matched num: 1
Internet Service: 327683(Microsoft-DNS), matched entry num: 2, matched num: 2
Internet Service: 327684(Microsoft-Outbound_Email), matched entry num: 4, matched num: 4
ETC....
Does that mean that I would use "Microsoft-Azure" as a source on my inbound firewall rule and it would always allow traffic from apimanagement-cors-proxy-prd.azure-api.net regardless of if the firewall has resolved the IP as 13.91.254.72 or 20.121.82.216 or whatever other IP the traffic might be coming from?

170
AEK
SuperUser
SuperUser
In response to IrbkOrrum

Created on ‎04-01-2025 08:47 AM

I agree with you that ISDB is a great feature, but since they are dynamic addresses, you need to have valid FortiCare subscription so that you can get ISDB updates.

Every ISDB service can be used either as source, or as destination, or both. You can see if a service can be used as source or destination or both under menu Policy & Objects > ISDB, then see the column "Direction" for the required service. But for MS Azure I can see it is bidirectional.

Just to make sure, you can check if the IP address is in the service by double-clicking on the service, then show entries.

AEK
AEK
160
0 Kudos
IrbkOrrum
Contributor
In response to AEK

Created on ‎04-01-2025 08:52 AM

I don't think we plan to NOT have FortiCare, but it's good to know.  Thanks so much for this!  I never used it, didn't know it existed, but it's going to make a life a lot easier!  10 points too <insert your house here>!

149
AEK
SuperUser
SuperUser
In response to IrbkOrrum

Created on ‎04-01-2025 08:49 AM

Now I justed learned an interesting command from you:

diagnose internet-service match <vdom-name> <ip> <netmask>

Thanks!

AEK
AEK
157
dingjerry_FTNT
Staff
Staff

Created on ‎04-01-2025 08:51 AM

Hi @IrbkOrrum ,

 

The wildcard FQDN resolution depends on the DNS traffic passing through FGT.  So if there is no relevant DNS traffic passing through FGT, FGT may not get the correct IPs.

 

You may try with ISDB.  You may check the following article about the usage of ISDB as source/destination addresses in a firewall policy:

 

https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/336471/allow-creation-of-isd...

Regards,

Jerry
153
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.