FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vhitnal
Staff
Staff
Article Id 195434
Description
This article describes how to use custom internet service in policy.


Solution
Custom Internet Services can be created and used in firewall policies.
When creating a custom Internet Service, it is necessary to set following elements:

- IP or IP ranges.
- Protocol number.
- Port or port ranges.
- Reputation.

Use CLI to create a custom Internet Service.

Custom Internet Service CLI syntax.
# config firewall internet-service-custom
    edit <name>
       set comment <comment>
       set reputation {1|2|3|4|5}
       # config entry
           edit <ID #>
               set protocol <number #>
               set dst <object_name>
               # config port-range
                   edit <ID #>
                       set start-port <number #>
                       set end-port <number #>
                   next
               end
           next
       end
    end
end
Sample configuration.

To configure a custom Internet Service:
# config firewall internet-service-custom
   edit "test-isdb-1"
       set comment "Test Custom Internet Service"
       set reputation 4
       # config entry
          edit 1
              set protocol 6
              # config port-range
                  edit 1
                      set start-port 80
                      set end-port 443
                  next
              end
              set dst "10-1-100-0"
          next
          edit 2
              set protocol 6
              # config port-range
                  edit 1
                      set start-port 80
                      set end-port 80
                  next
              end
              set dst "172-16-200-0"
          next
       end
   next
end
To apply a custom Internet Service into a policy:
# config firewall policy
    edit 1
        set name "Internet Service in Policy"
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set internet-service enable
        set internet-service-id 65646
        set internet-service-custom "test-isdb-1"
        set action accept
        set schedule "always"
        set utm-status enable
        set av-profile "g-default"
        set ssl-ssh-profile "certificate-inspection"
        set nat enable
    next
end
Result.
In addition to the IP address, IP address ranges, and services allowed by Google.Gmail, this policy also allows the traffic which access to 10.1.100.0/24 and TCP/80-443 and 172.16.200.0/24 and TCP/80.

Contributors