Description
The article describes how to configure snternet service database objects with geographical information in the policy.
Geographic-Based Internet Service Database (ISDB) objects allows users to define a country, region, and city.
These objects can be used in firewall policies for more granular control over the location of the parent ISDB object.
ISDB objects are now referenced in policies by name instead of ID.
Solution
To apply a location-based ISDB object to a policy from the GUI.
1) Create the ISDB object.
- Go to Policy & Objects -> Internet Service Database and select 'Create New'.
- For Type, select 'Geographic Based' and configure the other settings as needed.
- Select 'OK'.
2) View the IP ranges in the location-based internet service.
- Go to Policy & Objects -> Internet Service Database.
- In the table, hover over the object created in step 1) and select 'View/Edit Entries'.
The list of IPs is displayed.
- Go to Policy & Objects -> Internet Service Database.
- In the table, hover over the object created in step 1) and select 'View/Edit Entries'.
The list of IPs is displayed.
- Select 'Return'.
3) Add the ISDB object to a policy.
- Go to Policy & Objects -> Firewall Policy. Create a new policy or edit an existing policy.
- For Destination, select 'Internet Service' and select the ISDB object created in step 1).
- Configure the other settings as needed.
- Select 'OK'.
3) Add the ISDB object to a policy.
- Go to Policy & Objects -> Firewall Policy. Create a new policy or edit an existing policy.
- For Destination, select 'Internet Service' and select the ISDB object created in step 1).
- Configure the other settings as needed.
- Select 'OK'.
To apply a location-based ISDB object to a policy from the CLI.
1) Create the ISDB object.
1) Create the ISDB object.
# config firewall internet-service-name2) View the IP ranges in the location-based internet service.
edit "test-locaction-isdb-1"
set type location
set internet-service-id 65536
set country-id 840
set region-id 283
set city-id 23352
next
end
# diagnose internet-service id 65536 | grep "country(840) region(283) city(23352)"3) Add the ISDB object to a policy.
96.45.33.73-96.45.33.73 country(840) region(283) city(23352) blacklist(0x0) reputation(4), domain(5) popularity(0) botnet(0) proto(6) port(1-65535) 96.45.33.73-96.45.33.73 country(840) region(283) city(23352) blacklist(0x0) reputation(4), domain(5) popularity(0) botnet(0) proto(17) port(1-65535) 198.94.221.56-198.94.221.56 country(840) region(283) city(23352) blacklist(0x0) reputation (4), domain(5) popularity(4) botnet(0) proto(6) port(1-65535) 198.94.221.56-198.94.221.56 country(840) region(283) city(23352) blacklist(0x0) reputation (4), domain(5) popularity(4) botnet(0) proto(17) port(1-65535)
# config firewall policy
edit 99
set name "Demo_Policy"
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set internet-service enable
set internet-service-name "test-locaction-isdb-1"
set action accept
set schedule "always"
set logtraffic all
set logtraffic-start enable
set auto-asic-offload disable
set nat enable
next
end
