Using extension Internet Service in policy

Extension Internet Service lets you add custom or remove existing IP address and port ranges to an existing predefined Internet Service entries. Using an extension type Internet Service is actually editing a predefined type Internet Service entry and adding IP address and port ranges to it.

When creating an extension Internet Service and adding custom ranges, you must set following elements:

  • IP or IP ranges
  • Protocol number
  • Port or port ranges

You must use CLI to add custom IP address and port entries into a predefined Internet Service.

You must use GUI to remove entries from a predefined Internet Service.

Custom extension Internet Service CLI syntax

config firewall internet-service-extension
    edit <ID #>
        set comment <comment>
        config entry
            edit <ID #>
                set protocol <number #>
                set dst <object_name>
                config port-range
                    edit <ID #>
                         set start-port <number #>
                         set end-port <number #>
                    next
                end
            next
        end
    end
end

Sample configuration

To configure an extension Internet Service in the CLI:
config firewall internet-service-extension
    edit 65646
        set comment "Test Extension Internet Service 65646"
        config entry
            edit 1
                set protocol 6
                config port-range
                    edit 1
                        set start-port 80
                        set end-port 443
                    next
                end
                set dst "172-16-200-0"
            next
            edit 2
                set protocol 17
                config port-range
                    edit 1
                        set start-port 53
                        set end-port 53
                    next
                end
                set dst "10-1-100-0"
            next
        end
    next
end
To remove IP address and port entries from an existing Internet Service in the GUI:
  1. Go to Policy & Objects > Internet Service Database.

  2. Search for Google-Gmail.

  3. Select Google-Gmail and click Edit.

  4. In the gutter, click View/Edit Entries.

  5. Select the IP entry that you need to remove and click Disable.

  6. Click Return twice.

To remove IP address and port entries from an existing Internet Service in the CLI:
config firewall internet-service-extension
    edit