Using Internet Service in policy

This topic shows how to apply a predefined Internet Service entry into a policy.

The Net Service Database is a comprehensive public IP address database that combines IP address range, IP possessor, service port number, and IP security credibility. The data comes from the FortiGuard service system. Information is regularly added to this database, for example, geographic location, IP reputation, popularity & DNS, and and then on. All this information helps users define Internet security more than effectively. Y'all can employ the contents of the database as criteria for inclusion or exclusion in a policy.

From FortiOS version 5.six, Internet Service is included in the firewall policy. It tin can be applied to a policy merely equally a destination object. From version 6.0, Internet Service tin can be applied both as source and destination objects in a policy. You can also apply Internet Services to shaping policy.

At that place are three types of Cyberspace Services you can apply to a firewall policy:

  • Predefined Cyberspace Services
  • Custom Cyberspace Services
  • Extension Internet Services

Sample configuration

To utilise a predefined Net Service entry to a policy using the GUI:
  1. Go to Policy & Objects and create a new policy.
  2. In the Source or Destination field, click +.
  3. In the Select Entries pane, click Internet Service.
  4. Locate and click Google.Gmail.

  5. Configure the other fields and and then click OK.
To utilize a predefined Internet Service entry to a policy using the CLI:

In the CLI, enable the internet-service starting time and then use its ID to apply the policy.

This case uses Google Gmail and its ID is 65646. Each Internet Service has a unique ID.

config firewall policy     edit 9         set proper noun "Internet Service in Policy"         set srcintf "wan2"         set dstintf "wan1"         set srcaddr "all"         set cyberspace-service enable         gear up cyberspace-service-id 65646         fix activeness accept         set schedule "always"         set utm-condition enable         fix av-profile "g-default"         set ssl-ssh-profile "certificate-inspection"         set nat enable     next cease
To diagnose an Internet Service entry using the CLI:
# diagnose internet-service id-summary 65646 Version: 0000600096 Timestamp: 201902111802 Total number of IP ranges: 444727 Number of Groups: 7 Group(0), Singularity(20), Number of IP ranges(142740) Group(i), Singularity(nineteen), Number of IP ranges(1210) Group(2), Singularity(sixteen), Number of IP ranges(241) Group(3), Singularity(fifteen), Number of IP ranges(38723) Grouping(four), Singularity(10), Number of IP ranges(142586) Group(v), Singularity(8), Number of IP ranges(5336) Group(6), Singularity(6), Number of IP ranges(113891) Internet Service: 65646(Google.Gmail) Number of IP range: 60 Number of IP numbers: 322845 Singularity: 15 Reputation: 5(Known and verified safe sites such equally Gmail, Amazon, eBay, etc.) Icon Id: 510 Second Level Domain: 53(gmail.com) Direction: dst Information source: isdb

Result

Because the IP and services related to Google Gmail on the Internet are included in this Cyberspace Service (65646), all traffic to Google Gmail is forwarded past this policy.