FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Gabriel_Manea_FTNT
Description
This article gives some useful commands related to Internet Service Database (ISDB) feature.

Troubleshooting tips for Internet service database included.

Solution
1) How to check the current version of ISDB.
# diag autoupdate version | grep 'Internet-service' -A6
Internet-service Database Apps
---------
Version: 7.01406
Contract Expiry Date: n/a
Last Updated using push update on Thu Mar 18 03:28:22 2021
Last Update Attempt: Thu Mar 18 12:06:45 2021
Result: No Updates
--
Internet-service Database Maps
---------
Version: 7.01406
Contract Expiry Date: n/a
Last Updated using push update on Thu Mar 18 03:28:22 2021
Last Update Attempt: Thu Mar 18 12:06:45 2021
Result: No Updates
2) How to list the ALL the ISDB services and their corresponding IDs.
# diagnose internet-service id
Please input Internet Service ID.
ID: 65536 name: "Google-Others"
ID: 65537 name: "Google-Web"
ID: 65539 name: "Google-DNS"
ID: 65542 name: "Google-SSH"

…. Or the results can be filtered:
# diagnose internet-service id | grep Microsoft
ID: 327681 name: "Microsoft-Web"
ID: 327682 name: "Microsoft-ICMP"
ID: 327683 name: "Microsoft-DNS"
ID: 327684 name: "Microsoft-Outbound_Email"
ID: 327686 name: "Microsoft-SSH"

3) How to check to which service an IP belongs to
For example, this IP belongs to multiple services. This is valid for FortiOS 6.2 and newer (not before).
# diagnose internet-service match root 40.77.226.249 255.255.255.255
Internet Service: 327786(Microsoft-Azure), matched num: 2
Internet Service: 327681(Microsoft-Web), matched num: 4
Internet Service: 327682(Microsoft-ICMP), matched num: 1
4) How to check the list of IP addresses and ports included in a ISDB service
WARNING! For smaller units, or units running close to max capacity, this may trigger conserve mode when a service with a lot of IPs is displayed (ie. Google, Microsoft, etc)!
# diagnose internet-service id 11796487
Internet Service: 11796487(MediaFire-FTP)
Version: 00007.01406
Timestamp: 202103171637
Number of IP ranges: 10
38.114.207.0-38.114.207.255 geo_id(3591) black list(0x0) proto(6) port(21 990)
38.118.213.0-38.118.213.255 geo_id(3388) black list(0x0) proto(6) port(21 990)
52.52.208.118-52.52.208.118 geo_id(13239) black list(0x0) proto(6) port(21 990)
54.215.174.57-54.215.174.57 geo_id(13239) black list(0x0) proto(6) port(21 990)
5) How to check all the ports included in a ISDB service (FortiOS 6.0 only).
# diagnose internet-service id-summary 327786

Version: 00007.00048
Timestamp: 201909091430
Number of Internet Service entries: 2807
Internet Service: 327786(Microsoft-Azure) Number of entries: 2
Offset: 2089229
        Protocol: 6 Port: 22 80 443 445 990 1270 1433 2443 3260 3306 3389 5172 5432 5671 5672 5985 7990 7999 8080 8085 8443 9350 9351 9352 9353 9354 9450 9451 9452 9453 9454 IP range(10959) IP numbers(50882)
        Protocol: 17 Port: 0 IP range(10959) IP numbers(50882)
6) How to extend an ISDB service with some additional IP.
# config firewall address
    edit "40-77-226-250"
        set subnet 40.77.226.250 255.255.255.255
    next
end
# config firewall internet-service-custom
    edit "custom-IP-for-Azure"
        set comment ''
        config entry
            edit 1
                config port-range
                    edit 1
                    next
                end
                set dst "40-77-226-250"
            next
        end
    next
end

# config firewall policy
    edit 1
       set srcintf "wan1"
       set dstintf "wan2"
       set srcaddr "all"
       set internet-service enable
       set internet-service-id 327786                        <-------- Microsoft.Azure.
       set internet-service-custom "custom-IP-for-Azure"     <-------- 40.77.226.250/32.
       set action accept
       set schedule "always"
       set nat enable
    next
end
Another possibility would be to use master-service-id on internet-service-custom to extend current ISDB application:
# config firewall internet-service-custom
    edit "MyCustom_ISDB_Service"
        set master-service-id 327786
        set comment ''
        config entry
            edit 1
                set protocol 6
                config port-range
                    edit 1
                    next
                end
                set dst "40-77-226-250"
            next
        end
    next
end

# config firewall policy
    edit 1
       set srcintf "wan1"
       set dstintf "wan2"
       set srcaddr "all"
       set internet-service enable
       set internet-service-custom "MyCustom_ISDB_Service"      <----- 40.77.226.250/32
       set action accept
       set schedule "always"
       set nat enable
    next
end
7) How to extend an ISDB service with some additional ports (Only in FortiOS 6.2)

If a port is missing in the service wanted, then customize this service with the command below.

Example: To add TCP ports 10001-10300 to ISDB service Microsoft Azure:
# config firewall internet-service-addition
    edit 327786
        set comment "\'\'"
        config entry
            edit 1
                set protocol 6
                config port-range
                    edit 1
                        set start-port 10001
                        set end-port 10300
                    next
                end
            next
        end
    next
end
In FortiOS 6.0 you can check that the ports have been added:
# diagnose firewall internet-service list 327786 | grep Azure
name=Microsoft-Azure, id=327786 flags=0x1 order-ip-range protocol=6 port=22-22 80-80 443-443 445-445 990-990 1270-1270 1433-1433 2443-2443 3260-3260 3306-3306 3389-3389 5172-5172 5432-5432 5671-5671 5672-5672 5985-5985 7990-7990 7999-7999 8080-8080 8085-8085 8443-8443 9350-9350 9351-9351 9352-9352 9353-9353 9354-9354 9450-9450 9451-9451 9452-9452 9453-9453 9454-9454 10001-10300
8) Why the IP address is not in the expected service?

For ISDB, several sources can collect IP addresses, such as:

• FortiCloud application control log,
• Fortinet DNS log,
• DNS lookup in several geolocations,
• SSL certificate scanning,
• vendor announcement, etc.

IP addresses collected from different applications may overlap.
For example, one IP address appears in both application A and B. ISDB doesn't allow this. In current ISDB, one 3-tuple (IP + protocol + port) can be only added in one ISDB object.

-> In next ISDB for FortiOS 6.2, one 3-tuple is allowed in multiple ISDB objects because weight is introduced in them so that FortiOS can make a choice based on the weight value.

So, when an ISDB package is created, first check these conflicts and make a choice to avoid them.

The decision is made by the following logic:

  1) Cloud platform application such as Azure, Google cloud, AWS has low priority
  2) DNS lookup and SSL certificate scanning results have high priority

9) Why is the ISDB database empty?
- Make sure there is connectivity to FortiGuard servers
- If this happened after a firmware upgrade, after checking the connectivity, make sure the time for a scheduled update has passed, or trigger the update manually: exec update-now
- Reboot the unit after connectivity is restored (and if there is a disk scan warning on the GUI, please run the scan, which will reboot the unit)

10) How to contact ISDB team

It is possible to contact them here.

Contributors