Fortinet white logo
Fortinet white logo

Administration Guide

Allow creation of ISDB objects with regional information

Allow creation of ISDB objects with regional information

Geographic-based Internet Service Database (ISDB) objects allow users to define a country, region, and city. These objects can be used in firewall policies for more granular control over the location of the parent ISDB object. ISDB objects are now referenced in policies by name instead of ID.

To apply a location-based ISDB object to a policy in the GUI:
  1. Create the ISDB object:

    1. Go to Policy & Objects > Internet Service Database and click Create New > Geographic Based Internet Service.

    2. Configure the settings as required.

    3. Click OK.

  2. View the IP ranges in the location-based internet service:

    1. Go to Policy & Objects > Internet Service Database .

    2. In the table, hover over the object created in step 1 and click View/Edit Entries. The list of IPs is displayed:

    3. Click Return.

  3. Add the ISDB object to a policy:

    1. Go to Policy & Objects > Firewall Policy and create a new policy or edit an existing one.

    2. For Destination, click Internet Service and select the ISDB object created in step 1.

    3. Configure the other settings as needed.

    4. Click OK.

To apply a location-based ISDB object to a policy in the CLI:
  1. Create the ISDB object:
    config firewall internet-service-name
        edit "test-location-isdb-1"
            set type location
            set internet-service-id 65536
            set country-id 840
            set region-id 283
            set city-id 23352
        next
    end
  2. View the IP ranges in the location-based internet service:
    # diagnose internet-service id 65536 | grep "country(840) region(283) city(23352)"
    96.45.33.73-96.45.33.73 country(840) region(283) city(23352) blocklist(0x0) reputation(4), domain(5) popularity(0) botnet(0) proto(6) port(1-65535)
    96.45.33.73-96.45.33.73 country(840) region(283) city(23352) blocklist(0x0) reputation(4), domain(5) popularity(0) botnet(0) proto(17) port(1-65535)
    198.94.221.56-198.94.221.56 country(840) region(283) city(23352) blocklist(0x0) reputation(4), domain(5) popularity(4) botnet(0) proto(6) port(1-65535)
    198.94.221.56-198.94.221.56 country(840) region(283) city(23352) blocklist(0x0) reputation(4), domain(5) popularity(4) botnet(0) proto(17) port(1-65535)
  3. Add the ISDB object to a policy:
    config firewall policy
        edit 3
            set name "PC to Google"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "PC"
            set internet-service enable
            set internet-service-name "test-location-isdb-1"
            set action accept
            set schedule "always"
            set logtraffic all
            set logtraffic-start enable
            set auto-asic-offload disable
            set nat enable
        next
    end

Allow creation of ISDB objects with regional information

Allow creation of ISDB objects with regional information

Geographic-based Internet Service Database (ISDB) objects allow users to define a country, region, and city. These objects can be used in firewall policies for more granular control over the location of the parent ISDB object. ISDB objects are now referenced in policies by name instead of ID.

To apply a location-based ISDB object to a policy in the GUI:
  1. Create the ISDB object:

    1. Go to Policy & Objects > Internet Service Database and click Create New > Geographic Based Internet Service.

    2. Configure the settings as required.

    3. Click OK.

  2. View the IP ranges in the location-based internet service:

    1. Go to Policy & Objects > Internet Service Database .

    2. In the table, hover over the object created in step 1 and click View/Edit Entries. The list of IPs is displayed:

    3. Click Return.

  3. Add the ISDB object to a policy:

    1. Go to Policy & Objects > Firewall Policy and create a new policy or edit an existing one.

    2. For Destination, click Internet Service and select the ISDB object created in step 1.

    3. Configure the other settings as needed.

    4. Click OK.

To apply a location-based ISDB object to a policy in the CLI:
  1. Create the ISDB object:
    config firewall internet-service-name
        edit "test-location-isdb-1"
            set type location
            set internet-service-id 65536
            set country-id 840
            set region-id 283
            set city-id 23352
        next
    end
  2. View the IP ranges in the location-based internet service:
    # diagnose internet-service id 65536 | grep "country(840) region(283) city(23352)"
    96.45.33.73-96.45.33.73 country(840) region(283) city(23352) blocklist(0x0) reputation(4), domain(5) popularity(0) botnet(0) proto(6) port(1-65535)
    96.45.33.73-96.45.33.73 country(840) region(283) city(23352) blocklist(0x0) reputation(4), domain(5) popularity(0) botnet(0) proto(17) port(1-65535)
    198.94.221.56-198.94.221.56 country(840) region(283) city(23352) blocklist(0x0) reputation(4), domain(5) popularity(4) botnet(0) proto(6) port(1-65535)
    198.94.221.56-198.94.221.56 country(840) region(283) city(23352) blocklist(0x0) reputation(4), domain(5) popularity(4) botnet(0) proto(17) port(1-65535)
  3. Add the ISDB object to a policy:
    config firewall policy
        edit 3
            set name "PC to Google"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "PC"
            set internet-service enable
            set internet-service-name "test-location-isdb-1"
            set action accept
            set schedule "always"
            set logtraffic all
            set logtraffic-start enable
            set auto-asic-offload disable
            set nat enable
        next
    end