FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anthony_E
Community Manager
Community Manager
Article Id 193147

Description


FortiOS 6.2 introduces flexibility to tune Internet Service DB (ISDB) entries for their environments.
This article describes how a CLI option allows the admin to add custom port and port ranges into their predefined ISDB entries.

 

These objects cover relative ports by default, including but not limited to the following:

- 'Malicious-Malicious.Server' and 'Phishing-Phishing.Server' for Web services.

- 'Spam-Spamming.Server' for email services.

- 'VPN-Anonymous.VPN' for VPN services.

This this allows for extending other ports if desired to block more protocols or ports.

 

Scope

 

FortiOS 6.2 and above.


Solution


Use the CLI command #config firewall internet-service-addition in the global system to tune the ISDB of the user environment.

To add a custom port range in global:

 

# config firewall internet-service-addition
  edit 65646
      set comment "Add custom port-range:tcp/8080-8090 into 65646"
      config entry
          edit 1
              set protocol 6
              config port-range
                  edit 1
                       set start-port 8080
                       set end-port 8090
                  next
              end
          next
      end
  next
end

 

Use the following command to apply the change:

# execute internet-service refresh

 

Warning: Configuration will only be applied after rebooting or using the 'execute internet-service refresh' command.

Use the following command to verify that the change was applied:

# diagnose internet-service info

 

Exception

 

Most of the objects are customizable, with the exception of 'Botnet-C&C.Server' and 'Tor-Relay.Node'. These options use a different port with different IP addresses. As a result, the entries for each are 3-tuple of IP-protocol-port instead of an IP address range with the predefined port list.

 

Related Articles

 

- 7.2 Documentation

- Technical Tip: Verifying which Internet Service database type and version installed on FortiOS-based...

- Technical Tip: Error message 'ISDB001 is unauthorized' when running FortiGuard updates debug