Using extension Internet Service in policy
Extension Internet Service lets you add custom or remove existing IP address and port ranges to an existing predefined Internet Service entries. Using an extension type Internet Service is actually editing a predefined type Internet Service entry and adding IP address and port ranges to it.
When creating an extension Internet Service and adding custom ranges, you must set following elements:
- IP or IP ranges
- Protocol number
- Port or port ranges
You must use CLI to add custom IP address and port entries into a predefined Internet Service.
You must use GUI to remove entries from a predefined Internet Service.
Custom extension Internet Service CLI syntax
config firewall internet-service-extension
edit <ID #>
set comment <comment>
config entry
edit <ID #>
set protocol <number #>
set dst <object_name>
config port-range
edit <ID #>
set start-port <number #>
set end-port <number #>
next
end
next
end
end
end
Sample configuration
To configure an extension Internet Service using the CLI:
config firewall internet-service-extension
edit 65646
set comment "Test Extension Internet Service 65646"
config entry
edit 1
set protocol 6
config port-range
edit 1
set start-port 80
set end-port 443
next
end
set dst "172-16-200-0"
next
edit 2
set protocol 17
config port-range
edit 1
set start-port 53
set end-port 53
next
end
set dst "10-1-100-0"
next
end
next
end
To remove IP address and port entries from an existing Internet Service:
- Go to Policy & Objects > Internet Service Database.
- Search for Google.Gmail.
- Select Google.Gmail and click Edit.
- Locate the IP entry you want to remove and click Disable beside that entry.
- Click Return.
- When you complete the actions in the GUI, the CLI automatically generates the configuration from your GUI actions:
config firewall internet-service-extension edit 65646 set comment "Test Extension Internet Service 65646" config entry edit 1 set protocol 6 config port-range edit 1 set start-port 80 set end-port 443 next end set dst "172-16-200-0" next edit 2 set protocol 17 config port-range edit 1 set start-port 53 set end-port 53 next end set dst "10-1-100-0" next end config disable-entry edit 1 set protocol 6 config port-range edit 1 set start-port 25 set end-port 25 next edit 2 set start-port 80 set end-port 80 next edit 3 set start-port 110 set end-port 110 next edit 4 set start-port 143 set end-port 143 next edit 5 set start-port 443 set end-port 443 next edit 6 set start-port 465 set end-port 465 next edit 7 set start-port 587 set end-port 587 next edit 8 set start-port 993 set end-port 993 next edit 9 set start-port 995 set end-port 995 next edit 10 set start-port 2525 set end-port 2525 next end config ip-range edit 1 set start-ip 2.20.183.160 set end-ip 2.20.183.160 next end next end next end
To apply an extension Internet Service into policy using the CLI:
config firewall policy
edit 9
set name "Internet Service in Policy"
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set internet-service enable
set internet-service-id 65646
set action accept
set schedule "always"
set utm-status enable
set av-profile "g-default"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end
Result
In addition to the IP addresses, IP address ranges, and services allowed by Google.Gmail, this policy also allows the traffic which accesses 10.1.100.0/24 and UDP/53 and 172.16.200.0/24 and TCP/80-443. At the same time, the traffic that accesses 2.20.183.160 is dropped because this IP address and port is disabled from Google.Gmail.