FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mtse
Staff
Staff
Article Id 195557

Description
Starting from V6.2, the system identifies the application ID by looking up the first IP 3-tuple in the ISDB and application CTRL cache, and then matches the ID in the rule list one by one from the top to the bottom.

This improves performance because it searches the database and cache one time only.


Solution
For example, the two IP addresses  below both belong to the same ISDB category 327880 (Microsoft-Office365.Published) (ISDB ver 7.01406).
But IP address 52.113.195.132 is also identified as 'Microsoft.Teams' (application ID 43541) in application control list cache.

In such case, the matching result will be as follows:

40.126.52.150 (follows the rule "30")
52.113.195.132 (follows the rule "32)
# diagnose internet-service info root 6 443 40.126.52.150
Internet Service: 327880(Microsoft-Office365.Published)

# diagnose internet-service info root 6 443 52.113.195.132
Internet Service: 327880(Microsoft-Office365.Published)

# diagnose sys virtual-wan-link internet-service-app-ctrl-list

Microsoft.Teams(43541 4294837321): 52.113.195.132 6 443 Mon Mar 22 09:04:19 2021

# config system virtual-wan-link
...
# config service
    edit 30
        set name "SSLVPN-Test-1"
        set src "SSLVPN_TUNNEL_ADDR1"
        set internet-service enable
        set internet-service-id 327880
        set priority-members 2
    next
        edit 31
            set name "SSLVPN-Test-2"
            set src "SSLVPN_TUNNEL_ADDR1"
            set internet-service enable
            set internet-service-id 327880
            set priority-members 1
        next
            edit 32
                set name "SSLVPN-Test-3"
                set dst "all"
                set src "SSLVPN_TUNNEL_ADDR1"
                set priority-members 1
            next
        ...
            edit 11
                set name "teamsBackupToInternet"
                set src "all"
                set internet-service enable
                set internet-service-id 327781
                set internet-service-app-ctrl 43541 48977 48976 47822
                set priority-members 1
            next
        ...
    end

The logic behind above matching result is as follows.

40.126.52.150 is identified as ISDB category Microsoft_Office365 (ISDB ID 327880).
The system searches the rules (with ISDB configured) one by one from top to bottom and finds the first match to be rule 30.


52.113.195.132 is identified as application category Microsoft Teams (application ID 43541) based on its existence in the internet-service-app-ctrl-list cache.
The system then searches the rules (with application control or rules without ISDB) one by one from top to bottom and finds the first match to be rule 32.

This is because rule 32 is the first rule without ISDB and it matches dst 'all'.


To force an IP address to be classified in ISDB category.

Internet-service-extension entry below can be configured to group the IP 52.113.195.132 under ISDB ID 327880 (Microsoft_Office365).

# config firewall internet-service-extension
    edit 327880
        set comment ''
        # config entry
            edit 1
                set protocol 6
                # config port-range
                    edit 1
                        set start-port 443
                        set end-port 443
                    next
                end
                    set dst "dst_52.113.195.132"
                next
            end
        next
    end

Related Articles

Technical Tip: Routing in FortiGate (route-lookup-process)

Contributors