Description
FortiOS 6.2 introduces flexibility to tune Internet Service DB (ISDB) entries for their environments.
This article describes how a CLI option allows the admin to add custom port and port ranges into their predefined ISDB entries.
These objects cover relative ports by default, including but not limited to the following:
- 'Malicious-Malicious.Server' and 'Phishing-Phishing.Server' for Web services.
- 'Spam-Spamming.Server' for email services.
- 'VPN-Anonymous.VPN' for VPN services.
This this allows for extending other ports if desired to block more protocols or ports.
Scope
FortiOS 6.2 and above.
Solution
Use the CLI command #config firewall internet-service-addition in the global system to tune the ISDB of the user environment.
To add a custom port range in global:
# config firewall internet-service-addition
edit 65646
set comment "Add custom port-range:tcp/8080-8090 into 65646"
config entry
edit 1
set protocol 6
config port-range
edit 1
set start-port 8080
set end-port 8090
next
end
next
end
next
end
Use the following command to apply the change:
Warning: Configuration will only be applied after rebooting or using the 'execute internet-service refresh' command.
Use the following command to verify that the change was applied:
Exception
Most of the objects are customizable, with the exception of 'Botnet-C&C.Server' and 'Tor-Relay.Node'. These options use a different port with different IP addresses. As a result, the entries for each are 3-tuple of IP-protocol-port instead of an IP address range with the predefined port list.
Related Articles
- Technical Tip: Error message 'ISDB001 is unauthorized' when running FortiGuard updates debug
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.