Description
This article explains when and how IPs can be in multiple Internet Service Database (ISDB) entries, and how to take that into consideration when using ISDB entries for routing/policies
Useful links:
Fortinet Documentation
FortiOS handbook details on ISDB:
ISDB in policies: https://docs.fortinet.com/document/fortigate/6.0.6/handbook/793211/isdb-and-irdb-in-firewall-policie...
Adding Internet service support to policies: https://docs.fortinet.com/document/fortigate/5.6.0/whats-new-in-fortios-5-6-0 (p.77/78)
FortiGuard ISDB updates: https://fortiguard.com/updates/isdb
Solution
Internet Services were added to the FortiGate in version 5.4, and made usable as policy objects in version 5.6.
They are a constantly updated list of public IPs and ports bundled based on what service/application they belong to, like Amazon AWS or Microsoft Office.
These are visible in FortiGate:
The IPs can be seen when editing the Service object:In FortiOS 5.4, 5.6 and 6.0, an IP can only be a member of one ISDB entry.
This can sometimes lead to issues when an IP is used for multiple different services, like Microsoft IPs being used for both Office365 and Azure.
This means that using ISDB entries for policies or routing in FortiGates 6.0 and lower can sometimes not allow traffic that technically belongs to the Service, as the IP being accessed is already part of a different ISDB entry.
To work around this, there are a few options:
1) Upgrade to 6.2.x or higher: 6.2 and higher supports having the same IP in multiple ISDB entries
2) Manually create address objects/groups with the affected IPs and add policies with those in addition to the Internet Service policies
3) Add the other Internet Services that contain the missing IPs – this however will also allow access beyond the intended IPs to other IPs in the additional Internet Services.
