Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mmaubert
Staff
Staff

Created on ‎03-09-2020 02:31 AM

Article Id 198547

Technical Tip: Adding or removing IP addresses and port ranges to/from a predefined internet service using the internet service extension

Description
This article describes a technical tip for defining and using the internet service extension feature.
As a reminder, this feature allows adding and/or removing IP address(es) and port range(s) to/from existing a predefined internet service entry.
Using an extension type internet service comes to edit a predefined internet service entry and add/remove IP address(es) and port range(s) to/from it.

Solution
Note that, while internet service database objects are globally defined, the internet service extension is a VDOM level feature.
Example: extensions are configured and applied only at a VDOM level basis.

Adding an IP address / port range to a predefined Internet Service entry.

As per the documentation, creating an internet service extension requires configuring IP or IP ranges, protocol number, port or port ranges via the CLI (this cannot be done at the GUI for now).

Based on this, adding an IP address range of 10.10.10.0-10.10.10.0 with a TCP port range of 8080-8081 to the predefined Internet Service 'Google-Gmail' in VDOM 'VD-1' can then be done using the following command set.

1) Retrieve the identifier of the 'Google-Gmail' Internet Service (65646). 
# diagnose internet-service id | grep Google-Gmail
ID: 65646 name: "Google-Gmail"

FGT (global) #
2) Define the IP address range '10.10.10.0-10.10.10.0' using a firewall address object.
# config firewall address
    edit "ISDB-Range-1"
        set type iprange
        set start-ip 10.10.10.0
        set end-ip 10.10.10.0
    next
end
3) Extend the 'Google-Gmail' internet service using the 'internet-service-extension' command.
 # config firewall internet-service-extension
    edit 65646
        set comment ''
        # config entry
            edit 1
                set protocol 6
                # config port-range
                    edit 1
                        set start-port 8080
                        set end-port 8081
                    next
                end
                set dst "ISDB-Range-1"
            next
        end
    next
end
4) Once the configuration change is applied, the following message is being displayed in order to indicate what needs to be done to make the change effective.

Warning:
Configuration will only be applied after rebooting or using the '#execute internet-service refresh' command.

5) Refresh the internet service database using the "exec internet-service refresh" global level command.
# exec internet-service refresh
Internet Service database is refreshed.
6) Verify a new entry was effectively added at the VDOM level to the predefined 'Google-Gmail' internet service.
# diagnose firewall internet-service-extension list
List internet service in kernel(custom):
name=Google-Gmail id=65646 reputation=5 Known and verified safe sites such as Gmail, Amazon, eBay, etc. singularity=0 flags=0x0 protocol=6 port=8080-8081
addr ip range(1): 10.10.10.0-10.10.10.0
7) Referring to the extended 'Google-Gmail' internet service in a VDOM level firewall policy can be done as per the following command.
# config firewall policy
    edit 1
        …
            set internet-service enable
            set internet-service-id 65646
        …
    next
end
Removing an IP address / port range from a predefined Internet Service entry.

Unlike the addition, the removal of an IP address / port range from a predefined internet service cannot be done at the CLI but requires to be done at the GUI.

1) Open the internet service database of VDOM 'VD-1' and search for the 'Google-Gmail' internet service (65646).






2) Edit the 'Google-Gmail' internet service and remove all protocol entries for IP address range '1.1.1.0-1.1.1.0' from it by changing the IP address range 'Status' from enabled to disabled.




3) Display the internet service extension of the VDOM 'VD-1' using the 'internet-service-extension' command.
# config firewall internet-service-extension
    edit 65646
        set comment ''
        # config disable-entry
            edit 1
                set protocol 6
                # config port-range
                    edit 1
                        set start-port 25
                        set end-port 25
                    next
                    edit 2
                        set start-port 80
                        set end-port 80
                    next
                    edit 3
                        set start-port 110
                        set end-port 110
                    next
                    edit 4
                        set start-port 143
                        set end-port 143
                    next
                    edit 5
                        set start-port 443
                        set end-port 443
                    next
                    edit 6
                        set start-port 465
                        set end-port 465
                    next
                    edit 7
                        set start-port 587
                        set end-port 587
                    next
                    edit 8
                        set start-port 993
                        set end-port 993
                    next
                    edit 9
                        set start-port 995
                        set end-port 995
                    next
                    edit 10
                        set start-port 2525
                        set end-port 2525
                    next
                    edit 11
                        set start-port 5222
                        set end-port 5242
                    next
                    edit 12
                        set start-port 19305
                        set end-port 19309
                    next
                end
                # config ip-range
                    edit 1
                        set start-ip 1.1.1.0
                        set end-ip 1.1.1.0
                    next
                end
            next
            edit 2
                set protocol 17
                # config port-range
                    edit 1
                    next
                end
                # config ip-range
                    edit 1
                        set start-ip 1.1.1.0
                        set end-ip 1.1.1.0
                    next
                end
            next
        end
    next
end
The GUI disabling of IP address range '1.1.1.0-1.1.1.0' from the 'Google-Gmail' internet service was translated by FortiOS as an internet service extension (c.f. 'config disable-entry' command section for internet service ID 65646.)

8) Referring to the extended 'Google-Gmail' internet service in a VDOM level firewall Policy can be done as per the following command.
# config firewall policy
    edit 1
        …
            set internet-service enable
            set internet-service-id 65646
        …
    next
end
Note:
Unlike with the adding, the removal of an IP address / port range from a predefined internet Ssrvice entry cannot be displayed using the 'firewall internet-service-extension list' command.

Labels:
17076
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.