Description
This article explains useful commands related to the Internet Service Database (ISDB) feature.
Troubleshooting tips for the Internet service database are included.
Scope
Any supported version of FortiGate.
Solution
1) Use the following command to check the current version of ISDB:
# diag autoupdate version | grep 'Internet-service' -A6
Internet-service Database Apps
---------
Version: 7.01406
Contract Expiry Date: n/a
Last Updated using push update on Thu Mar 18 03:28:22 2021
Last Update Attempt: Thu Mar 18 12:06:45 2021
Result: No Updates
--
Internet-service Database Maps
---------
Version: 7.01406
Contract Expiry Date: n/a
Last Updated using push update on Thu Mar 18 03:28:22 2021
Last Update Attempt: Thu Mar 18 12:06:45 2021
Result: No Updates
2) Use the following command to list ALL ISDB services and their corresponding IDs:
# diagnose internet-service id
Please input Internet Service ID.
ID: 65536 name: "Google-Others"
ID: 65537 name: "Google-Web"
ID: 65539 name: "Google-DNS"
ID: 65542 name: "Google-SSH"
…. Or the results can be filtered:
# diagnose internet-service id | grep Microsoft
ID: 327681 name: "Microsoft-Web"
ID: 327682 name: "Microsoft-ICMP"
ID: 327683 name: "Microsoft-DNS"
ID: 327684 name: "Microsoft-Outbound_Email"
ID: 327686 name: "Microsoft-SSH"
…
3) Use the following command to check which service an IP belongs to. For example, this IP belongs to multiple services. This is valid for FortiOS 6.2 and newer (but not for versions before).
# diagnose internet-service match root 40.77.226.249 255.255.255.255
Internet Service: 327786(Microsoft-Azure), matched num: 2
Internet Service: 327681(Microsoft-Web), matched num: 4
Internet Service: 327682(Microsoft-ICMP), matched num: 1
4) Use the following command to check the list of IP addresses and ports included in an ISDB service.
WARNING: With smaller units or units running close to max capacity, this may trigger conserve mode when a service with a lot of IPs is displayed (such as Google or Microsoft).
# diagnose internet-service id 11796487
Internet Service: 11796487(MediaFire-FTP)
Version: 00007.01406
Timestamp: 202103171637
Number of IP ranges: 10
38.114.207.0-38.114.207.255 geo_id(3591) black list(0x0) proto(6) port(21 990)
38.118.213.0-38.118.213.255 geo_id(3388) black list(0x0) proto(6) port(21 990)
52.52.208.118-52.52.208.118 geo_id(13239) black list(0x0) proto(6) port(21 990)
54.215.174.57-54.215.174.57 geo_id(13239) black list(0x0) proto(6) port(21 990)
5) Use the following command to check all of the ports included in a ISDB service (FortiOS 6.0 only).
# diagnose internet-service id-summary 327786
Version: 00007.00048
Timestamp: 201909091430
Number of Internet Service entries: 2807
Internet Service: 327786(Microsoft-Azure) Number of entries: 2
Offset: 2089229
Protocol: 6 Port: 22 80 443 445 990 1270 1433 2443 3260 3306 3389 5172 5432 5671 5672 5985 7990 7999 8080 8085 8443 9350 9351 9352 9353 9354 9450 9451 9452 9453 9454 IP range(10959) IP numbers(50882)
Protocol: 17 Port: 0 IP range(10959) IP numbers(50882)
6) Use the following configuration commands to extend an ISDB service with additional IPs:
# config firewall address
edit "40-77-226-250"
set subnet 40.77.226.250 255.255.255.255
next
end
# config firewall internet-service-custom
edit "custom-IP-for-Azure"
set comment ''
config entry
edit 1
set dst "40-77-226-250"
next
end
next
end
# config firewall policy
edit 1
set srcintf "wan1"
set dstintf "wan2"
set srcaddr "all"
set internet-service enable
set internet-service-id 327786 <-------- Microsoft.Azure.
set internet-service-custom "custom-IP-for-Azure" <-------- 40.77.226.250/32.
set action accept
set schedule "always"
set nat enable
next
end
Alternatively, use master-service-id on internet-service-custom to extend the current ISDB application:
# config firewall internet-service-custom
edit "MyCustom_ISDB_Service"
set master-service-id 327786
set comment ''
config entry
edit 1
set protocol 6
config port-range
edit 1
next
end
set dst "40-77-226-250"
next
end
next
end
# config firewall policy
edit 1
set srcintf "wan1"
set dstintf "wan2"
set srcaddr "all"
set internet-service enable
set internet-service-custom "MyCustom_ISDB_Service" <----- 40.77.226.250/32
set action accept
set schedule "always"
set nat enable
next
end
7) Use the steps below to extend an ISDB service with additional ports (this is only possible in FortiOS 6.2 and above).
If a port is missing in the service, customize it with the command below.
For example, use the following configuration to add TCP ports 10001-10300 to ISDB service Microsoft Azure:
# config firewall internet-service-addition
edit 327786
set comment "\'\'"
config entry
edit 1
set protocol 6
config port-range
edit 1
set start-port 10001
set end-port 10300
next
end
next
end
next
end
In FortiOS 6.0, it is possible to check that the ports have been added with the following:
# diagnose firewall internet-service list 327786 | grep Azure
name=Microsoft-Azure, id=327786 flags=0x1 order-ip-range protocol=6 port=22-22 80-80 443-443 445-445 990-990 1270-1270 1433-1433 2443-2443 3260-3260 3306-3306 3389-3389 5172-5172 5432-5432 5671-5671 5672-5672 5985-5985 7990-7990 7999-7999 8080-8080 8085-8085 8443-8443 9350-9350 9351-9351 9352-9352 9353-9353 9354-9354 9450-9450 9451-9451 9452-9452 9453-9453 9454-9454 10001-10300
8) Troubleshooting: why is the IP address not in the expected service?
For an ISDB, several sources can collect IP addresses, such as:
- FortiCloud application control log.
- Fortinet DNS log.
- DNS lookup in several geolocations.
- SSL certificate scanning.
- Vendor announcements.
IP addresses collected from different applications may overlap.
For example: if one IP address appears in both application A and B, the ISDB doesn't allow this. In the current ISDB, one 3-tuple (IP + protocol + port) can be only added in one ISDB object.
In the next ISDB for FortiOS 6.2, one 3-tuple is allowed in multiple ISDB objects because weight is assigned to them so that FortiOS can make a choice based on the weight value.
When an ISDB package is created, check for these possible conflicts to avoid them.
Weight assignment follows the following logic:
- A cloud platform application such as Azure, Google cloud, or AWS has low priority.
- DNS lookups and SSL certificate scanning results have high priority.
9) Troubleshooting: why is the ISDB empty?
- Make sure connectivity to FortiGuard servers is available.
- If this occurred after a firmware upgrade, ensure the time for a scheduled update has passed or trigger the update manually:
# exec update-now
- Reboot the unit after connectivity is restored. If a disk scan warning appears on the GUI, run the scan. This will reboot the unit.
10) If problems remain, contact the ISDB team here.
