Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chrispng
New Contributor III

Internet Service Policy Wont Work

Hello Fortinet Community!

I have implemented in the past policys to allow my servers and VMs to reach microsoft and AVs(bitdefender) servers for update only.

 

Recently the Internet Service Policy stopped working.

 

The VMs wont update.

 

Any ideas? Have the Internet Service Database stopped working?

Is there a correct order for them to be adjusted?

Is there a default internet service required in all policys to be able to reach the required destination?

 

 

Thanks in advance

1 Solution
chrispng
New Contributor III

I have managed to resolve the issue by uograding from 7.2.5 to 7.4.2.

The policy worked perfectly

Just to add, before the upgrade the Internet Service Database wouldnt load any icons next to the Address Objects.

After the upgrade it does

 

Thanks in advance to all

View solution in original post

11 REPLIES 11
pmudgal
Staff
Staff

Hi Sir,

 

Thank you for reaching out to Fortinet support!

 

Did you make any changes recently or did you upgrade your FGT which caused this issue.

Can you share the policy configured?

 

Also you can refer the below document for configuration related help.

REF: https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/179236/using-internet-servic...

 

Best regards,

Piyush

 

chrispng
New Contributor III

Hello,

 

I implement both mature and feature upgrades,so i cant remember exacly when is stopped

FGT60F  7.2.5

Policy is as follows

 

config firewall policy
edit 4
set name "SYSTEMS TO INTERNET"
set uuid 38d8e122-070d-51ee-b780-37230ae7d58b
set srcintf "DigiIntLanSW"
set dstintf "wan1" "wan2"
set action accept
set srcaddr "SYSTEMS RANGE"
set internet-service enable
set internet-service-name "Bitdefender-DNS" "Bitdefender-LDAP" "Bitdefender-NetBIOS.Name.Service" "Bitdefender-NetBIOS.Session.Service" "Bitdefender-Other" "Bitdefender-Web" "Microsoft-DNS" "Microsoft-Microsoft.Update" "Microsoft-Web" "Microsoft-WNS" "ntp.org-DNS" "ntp.org-NTP" "ntp.org-Other" "ntp.org-Web"
set schedule "always"
set utm-status enable
set ssl-ssh-profile "Clone of no-inspection"
set logtraffic all
next
end

smaruvala

Hi,

 

- What do you see in the traffic logs? Is the communication getting denied by a policy?

- Is your ISDB entry up to date? You can check by running the command "diag autoupdate versions"
- If the communication is taking wrong policy then you can find the destination IP which is used for the communication and check the ISDB database in the Firewall to verify if it is mapped to the correct ISDB object or not. You can use the command "diagnose internet-service match root <IP and Subnet mask>"

 

Regards,

Shiva

 

chrispng
New Contributor III

Weird thing is i dont get any logs even though all logging is enabled and i also ofc ping and rdp the devices remotely

 

 

AV Engine
---------
Version: 6.00294 signed
Contract Expiry Date: Mon May 20 2024
Last Updated using manual update on Fri Sep 29 21:46:00 2023
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: No Updates

Virus Definitions
---------
Version: 92.00510
Contract Expiry Date: Mon May 20 2024
Last Updated using scheduled update on Wed Jan 10 14:37:39 2024
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: Updates Installed

Extended set
---------
Version: 92.00510
Contract Expiry Date: Mon May 20 2024
Last Updated using scheduled update on Wed Jan 10 14:37:39 2024
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: Updates Installed

Mobile Malware Definitions
---------
Version: 92.00510
Contract Expiry Date: Mon May 20 2024
Last Updated using scheduled update on Wed Jan 10 14:37:39 2024
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: Updates Installed

IPS Attack Engine
---------
Version: 7.00176 signed
Contract Expiry Date: Mon May 20 2024
Last Updated using manual update on Fri May 19 15:07:19 2023
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: No Updates

Attack Definitions
---------
Version: 26.00711
Contract Expiry Date: Mon May 20 2024
Last Updated using scheduled update on Wed Jan 10 00:07:45 2024
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: No Updates

Attack Extended Definitions
---------
Version: 0.00000
Contract Expiry Date: Mon May 20 2024
Last Updated using manual update on Mon Jan 1 00:00:00 2001
Last Update Attempt: Tue Jan 2 12:20:55 2024
Result: Connectivity failure

Application Definitions
---------
Version: 26.00710
Contract Expiry Date: Mon May 20 2024
Last Updated using scheduled update on Tue Jan 9 20:07:29 2024
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: No Updates

Industrial Attack Definitions
---------
Version: 6.00741
Contract Expiry Date: n/a
Last Updated using manual update on Tue Dec 1 02:30:00 2015
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: Unauthorized

IPS Malicious URL Database
---------
Version: 4.00934
Contract Expiry Date: Mon May 20 2024
Last Updated using scheduled update on Tue Jan 9 19:07:40 2024
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: No Updates

Flow-based Virus Definitions
---------
Version: 92.00510
Contract Expiry Date: Mon May 20 2024
Last Updated using scheduled update on Wed Jan 10 14:37:39 2024
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: Updates Installed

Botnet Domain Database
---------
Version: 3.00606
Contract Expiry Date: Mon May 20 2024
Last Updated using scheduled update on Wed Jan 10 03:37:34 2024
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: No Updates

Internet-service Standard Database
---------
Version: 7.03524
Contract Expiry Date: n/a
Last Updated using scheduled update on Wed Jan 10 09:22:38 2024
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: No Updates

Device and OS Identification
---------
Version: 1.00161
Contract Expiry Date: Mon May 20 2024
Last Updated using scheduled update on Fri Dec 15 20:07:41 2023
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: No Updates

URL Allow list
---------
Version: 4.00098
Contract Expiry Date: Mon May 20 2024
Last Updated using scheduled update on Tue Jan 9 19:37:35 2024
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: No Updates

IP Geography DB
---------
Version: 3.00211
Contract Expiry Date: n/a
Last Updated using scheduled update on Tue Jan 9 21:07:18 2024
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: No Updates

Certificate Bundle
---------
Version: 1.00048
Contract Expiry Date: n/a
Last Updated using scheduled update on Thu Dec 14 20:07:39 2023
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: No Updates

Malicious Certificate DB
---------
Version: 1.00462
Contract Expiry Date: Mon May 20 2024
Last Updated using scheduled update on Tue Jan 9 00:37:11 2024
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: No Updates

Mac Address Database
---------
Version: 1.00199
Contract Expiry Date: Mon May 20 2024
Last Updated using scheduled update on Tue Jan 9 19:37:35 2024
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: No Updates

AntiPhish Pattern DB
---------
Version: 1.00012
Contract Expiry Date: n/a
Last Updated using manual update on Thu Feb 2 08:31:00 2023
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: No Updates

AI/Machine Learning Malware Detection Model
---------
Version: 2.14180
Contract Expiry Date: Mon May 20 2024
Last Updated using scheduled update on Wed Jan 10 14:37:39 2024
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: Updates Installed

Modem List
---------
Version: 0.000

Security Rating Data Package
---------
Version: 3.00067
Contract Expiry Date: n/a
Last Updated using scheduled update on Tue Dec 19 19:37:44 2023
Last Update Attempt: Wed Jan 10 14:37:39 2024
Result: No Updates

FDS Address
---------
173.243.142.6:443

hbac
Staff
Staff

Hi @chrispng,

 

Please check Application Control event logs to see if there is any blocks. 

 

Regards, 

chrispng
New Contributor III

No the application control are empty, also i dont have any security profile on the policy activated

hbac

Hi @chrispng,

 

Sorry for the confusion, can you please check Forward Traffic logs? 

 

Regards, 

chrispng
New Contributor III

i also dont see any packets there when i initiciate an update process from windows and bitdefender agent.

chrispng
New Contributor III

 

 Capture.PNG

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors