Fortinet Document Library

Version:


Table of Contents

Cookbook

6.2.0
Download PDF
Copy Link

Using custom Internet Service in policy

Custom Internet Services can be created and used in firewall policies.

When creating a custom Internet Service, you must set following elements:

  • IP or IP ranges
  • Protocol number
  • Port or port ranges
  • Reputation

You must use CLI to create a custom Internet Service.

Custom Internet Service CLI syntax

config firewall internet-service-custom
    edit <name>
       set comment <comment>
       set reputation {1|2|3|4|5}
       config entry
           edit <ID #>
               set protocol <number #>
               set dst <object_name>
               config port-range
                   edit <ID #>
                       set start-port <number #>
                       set end-port <number #>
                   next
               end
           next
       end
    end
end

Sample configuration

To configure a custom Internet Service:
config firewall internet-service-custom
   edit "test-isdb-1"
       set comment "Test Custom Internet Service"
       set reputation 4
       config entry
          edit 1
              set protocol 6
              config port-range
                  edit 1
                      set start-port 80
                      set end-port 443
                  next
              end
              set dst "10-1-100-0"
          next
          edit 2
              set protocol 6
              config port-range
                  edit 1
                      set start-port 80
                      set end-port 80
                  next
              end
              set dst "172-16-200-0"
          next
       end
   next
end
To apply a custom Internet Service into a policy:
config firewall policy
    edit 1
        set name "Internet Service in Policy"
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set internet-service enable
        set internet-service-id 65646
        set internet-service-custom "test-isdb-1"
        set action accept
        set schedule "always"
        set utm-status enable
        set av-profile "g-default"
        set ssl-ssh-profile "certificate-inspection"
        set nat enable
    next
end

Result

In addition to the IP address, IP address ranges, and services allowed by Google.Gmail, this policy also allows the traffic which access to 10.1.100.0/24 and TCP/80-443 and 172.16.200.0/24 and TCP/80.

Using custom Internet Service in policy

Custom Internet Services can be created and used in firewall policies.

When creating a custom Internet Service, you must set following elements:

  • IP or IP ranges
  • Protocol number
  • Port or port ranges
  • Reputation

You must use CLI to create a custom Internet Service.

Custom Internet Service CLI syntax

config firewall internet-service-custom
    edit <name>
       set comment <comment>
       set reputation {1|2|3|4|5}
       config entry
           edit <ID #>
               set protocol <number #>
               set dst <object_name>
               config port-range
                   edit <ID #>
                       set start-port <number #>
                       set end-port <number #>
                   next
               end
           next
       end
    end
end

Sample configuration

To configure a custom Internet Service:
config firewall internet-service-custom
   edit "test-isdb-1"
       set comment "Test Custom Internet Service"
       set reputation 4
       config entry
          edit 1
              set protocol 6
              config port-range
                  edit 1
                      set start-port 80
                      set end-port 443
                  next
              end
              set dst "10-1-100-0"
          next
          edit 2
              set protocol 6
              config port-range
                  edit 1
                      set start-port 80
                      set end-port 80
                  next
              end
              set dst "172-16-200-0"
          next
       end
   next
end
To apply a custom Internet Service into a policy:
config firewall policy
    edit 1
        set name "Internet Service in Policy"
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set internet-service enable
        set internet-service-id 65646
        set internet-service-custom "test-isdb-1"
        set action accept
        set schedule "always"
        set utm-status enable
        set av-profile "g-default"
        set ssl-ssh-profile "certificate-inspection"
        set nat enable
    next
end

Result

In addition to the IP address, IP address ranges, and services allowed by Google.Gmail, this policy also allows the traffic which access to 10.1.100.0/24 and TCP/80-443 and 172.16.200.0/24 and TCP/80.