Fortinet black logo

Cookbook

Internet service groups in policies

Copy Link
Copy Doc ID af0e75e9-211f-11ea-9384-00505692583a:285901
Download PDF

Internet service groups in policies

This feature provides support for Internet Service Groups in traffic shaping and firewall policies. Service groups can be used as the source and destination of the policy. Internet Service Groups are used as criteria to match traffic; the shaper will be applied when the traffic matches.

To use a group as a destination, internet-service must be enabled. To use a group as a source, internet-service-src must be enabled.

The following CLI variables are available in the firewall policy and firewall shaping-policy commands:

Variable

Description

internet-service-group <string>

Internet Service group name.

internet-service-custom-group <string>

Custom Internet Service group name.

internet-service-src-group <string>

Internet Service source group name.

internet-service-src-custom-group <string>

Custom Internet Service source group name.

Examples

The following examples use the below topology.

Example 1

In this example, the PC is allowed to access Google, so all Google services are put into an Internet Service Group.

To configure access to Google services using an Internet Service Group using the CLI:
  1. Create a Service Group:
    config firewall internet-service-group
        edit "Google_Group"
            set direction destination
            set member 65537 65538 65539 65540 65542 65543 65544 65545 65550 65536 65646
        next
    end
  2. Create a firewall policy to allow access to all Google Services from the PC:
    config firewall policy
        edit 1
            set name "PC to Google"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "PC"
            set internet-service enable
            set internet-service-group "Google_Group"
            set action accept
            set schedule "always"
            set fsso disable
            set nat enable
        next
    end
To configure access to Google services using an Internet Service Group in the GUI:
  1. On the FortiGate, create a Service Group using the CLI.
  2. Go to Policy & Objects > IPv4 Policy, and create a new policy.
  3. Set the Destination as the just created Internet Service Group.

  4. Configure the remaining options as shown, then click OK.

    On the policy page, hover over the group to view a list of its members.

Example 2

In this example, two office FTP servers are put into an Internet Custom Service Group, and the PC connection to the FTP servers is limited to 1Mbps.

To put two FTP servers into a custom service group and limit the PC connection speed to them using the CLI:
  1. Create custom internet services for the internal FTP servers:
    config firewall internet-service-custom
        edit "FTP_PM"
            config entry
                edit 1
                    config port-range
                        edit 1
                            set start-port 21
                            set end-port 21
                        next
                    end
                    set dst "PM_Server"
                next
            end
        next
        edit "FTP_QA"
            config entry
                edit 1
                    config port-range
                        edit 1
                            set start-port 21
                            set end-port 21
                        next
                    end
                    set dst "QA_Server"
                next
            end
        next
    end
  2. Create a custom internet server group and add the just created custom internet services to it:
    config firewall internet-service-custom-group
        edit "Internal_FTP"
            set member "FTP_QA" "FTP_PM"
        next
    end
  3. Create a traffic shaper to limit the maximum bandwidth:
    config firewall shaper traffic-shaper
        edit "Internal_FTP_Limit_1Mbps"
            set guaranteed-bandwidth 500
            set maximum-bandwidth 1000
            set priority medium
        next
    end
  4. Create a firewall shaping policy to limit the speed from the PC to the internal FTP servers:
    config firewall shaping-policy
        edit 1
            set name "For Internal FTP"
            set internet-service enable
            set internet-service-custom-group "Internal_FTP"
            set dstintf "port1"
            set traffic-shaper "Internal_FTP_Limit_1Mbps"
            set traffic-shaper-reverse "Internal_FTP_Limit_1Mbps"
            set srcaddr "PC"
        next
    end
To put two FTP servers into a custom service group and limit the PC connection speed to the using the GUI:
  1. Create custom internet services for the internal FTP servers using the CLI.
  2. Create a custom internet server group and add the just created custom internet services to it using the CLI.
  3. Create a traffic shaper to limit the maximum bandwidth:
    1. Go to Policy & Objects > Traffic Shapers, and click Create New.
    2. Enter a Name for the shaper, such as Internal_FTP_Limit_1Mbps.
    3. Set the Traffic Priority to Medium.
    4. Enable Max Bandwidth and set it to 1000.
    5. Enable Guaranteed Bandwidth and set it to 500.
    6. Click OK.
  4. Create a firewall shaping policy to limit the speed from the PC to the internal FTP servers:
    1. Go to Policy & Objects > Traffic Shaping Policy, and click Create New.
    2. Set the Destination as the just created Custom Internet Service Group, and apply the just create traffic shaper.

    3. Configure the remaining options as shown, then click OK.

Internet service groups in policies

This feature provides support for Internet Service Groups in traffic shaping and firewall policies. Service groups can be used as the source and destination of the policy. Internet Service Groups are used as criteria to match traffic; the shaper will be applied when the traffic matches.

To use a group as a destination, internet-service must be enabled. To use a group as a source, internet-service-src must be enabled.

The following CLI variables are available in the firewall policy and firewall shaping-policy commands:

Variable

Description

internet-service-group <string>

Internet Service group name.

internet-service-custom-group <string>

Custom Internet Service group name.

internet-service-src-group <string>

Internet Service source group name.

internet-service-src-custom-group <string>

Custom Internet Service source group name.

Examples

The following examples use the below topology.

Example 1

In this example, the PC is allowed to access Google, so all Google services are put into an Internet Service Group.

To configure access to Google services using an Internet Service Group using the CLI:
  1. Create a Service Group:
    config firewall internet-service-group
        edit "Google_Group"
            set direction destination
            set member 65537 65538 65539 65540 65542 65543 65544 65545 65550 65536 65646
        next
    end
  2. Create a firewall policy to allow access to all Google Services from the PC:
    config firewall policy
        edit 1
            set name "PC to Google"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "PC"
            set internet-service enable
            set internet-service-group "Google_Group"
            set action accept
            set schedule "always"
            set fsso disable
            set nat enable
        next
    end
To configure access to Google services using an Internet Service Group in the GUI:
  1. On the FortiGate, create a Service Group using the CLI.
  2. Go to Policy & Objects > IPv4 Policy, and create a new policy.
  3. Set the Destination as the just created Internet Service Group.

  4. Configure the remaining options as shown, then click OK.

    On the policy page, hover over the group to view a list of its members.

Example 2

In this example, two office FTP servers are put into an Internet Custom Service Group, and the PC connection to the FTP servers is limited to 1Mbps.

To put two FTP servers into a custom service group and limit the PC connection speed to them using the CLI:
  1. Create custom internet services for the internal FTP servers:
    config firewall internet-service-custom
        edit "FTP_PM"
            config entry
                edit 1
                    config port-range
                        edit 1
                            set start-port 21
                            set end-port 21
                        next
                    end
                    set dst "PM_Server"
                next
            end
        next
        edit "FTP_QA"
            config entry
                edit 1
                    config port-range
                        edit 1
                            set start-port 21
                            set end-port 21
                        next
                    end
                    set dst "QA_Server"
                next
            end
        next
    end
  2. Create a custom internet server group and add the just created custom internet services to it:
    config firewall internet-service-custom-group
        edit "Internal_FTP"
            set member "FTP_QA" "FTP_PM"
        next
    end
  3. Create a traffic shaper to limit the maximum bandwidth:
    config firewall shaper traffic-shaper
        edit "Internal_FTP_Limit_1Mbps"
            set guaranteed-bandwidth 500
            set maximum-bandwidth 1000
            set priority medium
        next
    end
  4. Create a firewall shaping policy to limit the speed from the PC to the internal FTP servers:
    config firewall shaping-policy
        edit 1
            set name "For Internal FTP"
            set internet-service enable
            set internet-service-custom-group "Internal_FTP"
            set dstintf "port1"
            set traffic-shaper "Internal_FTP_Limit_1Mbps"
            set traffic-shaper-reverse "Internal_FTP_Limit_1Mbps"
            set srcaddr "PC"
        next
    end
To put two FTP servers into a custom service group and limit the PC connection speed to the using the GUI:
  1. Create custom internet services for the internal FTP servers using the CLI.
  2. Create a custom internet server group and add the just created custom internet services to it using the CLI.
  3. Create a traffic shaper to limit the maximum bandwidth:
    1. Go to Policy & Objects > Traffic Shapers, and click Create New.
    2. Enter a Name for the shaper, such as Internal_FTP_Limit_1Mbps.
    3. Set the Traffic Priority to Medium.
    4. Enable Max Bandwidth and set it to 1000.
    5. Enable Guaranteed Bandwidth and set it to 500.
    6. Click OK.
  4. Create a firewall shaping policy to limit the speed from the PC to the internal FTP servers:
    1. Go to Policy & Objects > Traffic Shaping Policy, and click Create New.
    2. Set the Destination as the just created Custom Internet Service Group, and apply the just create traffic shaper.

    3. Configure the remaining options as shown, then click OK.