Fortinet Document Library

Version:


Table of Contents

Cookbook

6.2.0
Download PDF
Copy Link

Using extension Internet Service in policy

Extension Internet Service lets you add custom or remove existing IP address and port ranges to an existing predefined Internet Service entries. Using an extension type Internet Service is actually editing a predefined type Internet Service entry and adding IP address and port ranges to it.

When creating an extension Internet Service and adding custom ranges, you must set following elements:

  • IP or IP ranges
  • Protocol number
  • Port or port ranges

You must use CLI to add custom IP address and port entries into a predefined Internet Service.

You must use GUI to remove entries from a predefined Internet Service.

Custom extension Internet Service CLI syntax

config firewall internet-service-extension
    edit <ID #>
        set comment <comment>
        config entry
            edit <ID #>
                set protocol <number #>
                set dst <object_name>
                config port-range
                    edit <ID #>
                         set start-port <number #>
                         set end-port <number #>
                    next
                end
            next
        end
    end
end

Sample configuration

To configure an extension Internet Service using the CLI:
config firewall internet-service-extension
    edit 65646
        set comment "Test Extension Internet Service 65646"
        config entry
            edit 1
                set protocol 6
                config port-range
                    edit 1
                        set start-port 80
                        set end-port 443
                    next
                end
                set dst "172-16-200-0"
            next
            edit 2
                set protocol 17
                config port-range
                    edit 1
                        set start-port 53
                        set end-port 53
                    next
                end
                set dst "10-1-100-0"
            next
        end
    next
end
To remove IP address and port entries from an existing Internet Service:
  1. Go to Policy & Objects > Internet Service Database.
  2. Search for Google.Gmail.
  3. Select Google.Gmail and click Edit.
  4. Locate the IP entry you want to remove and click Disable beside that entry.

  5. Click Return.
  6. When you complete the actions in the GUI, the CLI automatically generates the configuration from your GUI actions:
    config firewall internet-service-extension
        edit 65646
            set comment "Test Extension Internet Service 65646"
            config entry
                edit 1
                    set protocol 6
                    config port-range
                        edit 1
                            set start-port 80
                            set end-port 443
                        next
                    end
                    set dst "172-16-200-0"
                next
                edit 2
                    set protocol 17
                    config port-range
                        edit 1
                            set start-port 53
                            set end-port 53
                        next
                    end
                    set dst "10-1-100-0"
                next
            end
            config disable-entry
                edit 1
                    set protocol 6
                    config port-range
                        edit 1
                            set start-port 25
                            set end-port 25
                        next
                        edit 2
                            set start-port 80
                            set end-port 80
                        next
                        edit 3
                            set start-port 110
                            set end-port 110
                        next
                        edit 4
                            set start-port 143
                            set end-port 143
                        next
                        edit 5
                            set start-port 443
                            set end-port 443
                        next
                        edit 6
                            set start-port 465
                            set end-port 465
                        next
                        edit 7
                            set start-port 587
                            set end-port 587
                        next
                        edit 8
                            set start-port 993
                            set end-port 993
                        next
                        edit 9
                            set start-port 995
                            set end-port 995
                        next
                        edit 10
                            set start-port 2525
                            set end-port 2525
                        next
                    end
                    config ip-range
                        edit 1
                            set start-ip 2.20.183.160
                            set end-ip 2.20.183.160
                        next
                    end
                next
            end
        next
    end
To apply an extension Internet Service into policy using the CLI:
config firewall policy
    edit 9
        set name "Internet Service in Policy"
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set internet-service enable
        set internet-service-id 65646
        set action accept
        set schedule "always"
        set utm-status enable
        set av-profile "g-default"
        set ssl-ssh-profile "certificate-inspection"
        set nat enable
    next
end

Result

In addition to the IP addresses, IP address ranges, and services allowed by Google.Gmail, this policy also allows the traffic which accesses 10.1.100.0/24 and UDP/53 and 172.16.200.0/24 and TCP/80-443. At the same time, the traffic that accesses 2.20.183.160 is dropped because this IP address and port is disabled from Google.Gmail.

Using extension Internet Service in policy

Extension Internet Service lets you add custom or remove existing IP address and port ranges to an existing predefined Internet Service entries. Using an extension type Internet Service is actually editing a predefined type Internet Service entry and adding IP address and port ranges to it.

When creating an extension Internet Service and adding custom ranges, you must set following elements:

  • IP or IP ranges
  • Protocol number
  • Port or port ranges

You must use CLI to add custom IP address and port entries into a predefined Internet Service.

You must use GUI to remove entries from a predefined Internet Service.

Custom extension Internet Service CLI syntax

config firewall internet-service-extension
    edit <ID #>
        set comment <comment>
        config entry
            edit <ID #>
                set protocol <number #>
                set dst <object_name>
                config port-range
                    edit <ID #>
                         set start-port <number #>
                         set end-port <number #>
                    next
                end
            next
        end
    end
end

Sample configuration

To configure an extension Internet Service using the CLI:
config firewall internet-service-extension
    edit 65646
        set comment "Test Extension Internet Service 65646"
        config entry
            edit 1
                set protocol 6
                config port-range
                    edit 1
                        set start-port 80
                        set end-port 443
                    next
                end
                set dst "172-16-200-0"
            next
            edit 2
                set protocol 17
                config port-range
                    edit 1
                        set start-port 53
                        set end-port 53
                    next
                end
                set dst "10-1-100-0"
            next
        end
    next
end
To remove IP address and port entries from an existing Internet Service:
  1. Go to Policy & Objects > Internet Service Database.
  2. Search for Google.Gmail.
  3. Select Google.Gmail and click Edit.
  4. Locate the IP entry you want to remove and click Disable beside that entry.

  5. Click Return.
  6. When you complete the actions in the GUI, the CLI automatically generates the configuration from your GUI actions:
    config firewall internet-service-extension
        edit 65646
            set comment "Test Extension Internet Service 65646"
            config entry
                edit 1
                    set protocol 6
                    config port-range
                        edit 1
                            set start-port 80
                            set end-port 443
                        next
                    end
                    set dst "172-16-200-0"
                next
                edit 2
                    set protocol 17
                    config port-range
                        edit 1
                            set start-port 53
                            set end-port 53
                        next
                    end
                    set dst "10-1-100-0"
                next
            end
            config disable-entry
                edit 1
                    set protocol 6
                    config port-range
                        edit 1
                            set start-port 25
                            set end-port 25
                        next
                        edit 2
                            set start-port 80
                            set end-port 80
                        next
                        edit 3
                            set start-port 110
                            set end-port 110
                        next
                        edit 4
                            set start-port 143
                            set end-port 143
                        next
                        edit 5
                            set start-port 443
                            set end-port 443
                        next
                        edit 6
                            set start-port 465
                            set end-port 465
                        next
                        edit 7
                            set start-port 587
                            set end-port 587
                        next
                        edit 8
                            set start-port 993
                            set end-port 993
                        next
                        edit 9
                            set start-port 995
                            set end-port 995
                        next
                        edit 10
                            set start-port 2525
                            set end-port 2525
                        next
                    end
                    config ip-range
                        edit 1
                            set start-ip 2.20.183.160
                            set end-ip 2.20.183.160
                        next
                    end
                next
            end
        next
    end
To apply an extension Internet Service into policy using the CLI:
config firewall policy
    edit 9
        set name "Internet Service in Policy"
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set internet-service enable
        set internet-service-id 65646
        set action accept
        set schedule "always"
        set utm-status enable
        set av-profile "g-default"
        set ssl-ssh-profile "certificate-inspection"
        set nat enable
    next
end

Result

In addition to the IP addresses, IP address ranges, and services allowed by Google.Gmail, this policy also allows the traffic which accesses 10.1.100.0/24 and UDP/53 and 172.16.200.0/24 and TCP/80-443. At the same time, the traffic that accesses 2.20.183.160 is dropped because this IP address and port is disabled from Google.Gmail.