Description
This article explains how to create a custom IPv4 policy for a specific destination.
Solution
From FortiOS 5.6 it is possible to create an IPv4 policy for specific destination traffic using Internet Service Database.
GUI:
In the policy listing page, an Internet Service object is used, it will be found in both the Destination and Service column.
In the policy editing page of the Destination Address, the Destination field has now two types: Address and Internet Service.
Above policy is for allowing Microsoft Office 365 and Skype traffic.
As this is a custom policy it should be on top of all other existing LAN-WAN policy.
There is an either or relationship between Internet Service objects and destination address and service combinations in firewall policies. This means that a destination address and service can be specified in the policy or in an Internet service, not both.
CLI:
The related CLI options/syntax are:
# config firewall policy
edit 1
set internet-service 1 5 10
set internet-service-custom test
set internet-service-negate [enable|disable]
end
Related Articles
Technical Note: Internet Service Database - List of services, IP ranges, ports and protocols
