Fortinet black logo

Administration Guide

Internet Service Database on-demand mode NEW

Internet Service Database on-demand mode NEW

Internet Service Database (ISDB) on-demand mode replaces the full-sized ISDB file with a much smaller file that is downloaded onto the flash drive. This file contains only the essential entries for Internet Services. When a service is used in a firewall policy, the FortiGate queries FortiGuard to download the IP addresses and stores them on the flash drive. The FortiGate also queries the local MAC Database (MADB) for corresponding MAC information. The content of the ISDB entries used in firewall policies persists through reboots.

To enable ISDB (FFDB) on-demand mode:
  1. Configure the global setting:

    config system global
        set internet-service-database on-demand
    end

    All FFDB files are erased.

  2. Verify that there are no ISDB (FFDB) files:

    # diagnose autoupdate versions | grep Internet -A 6
    Internet-service On-Demand Database
    ---------
    Version: 0.00000
    Contract Expiry Date: n/a
    Last Updated using manual update on Mon Jan  1 00:00:00 2001
    Last Update Attempt: n/a
    Result: Updates Installed

    Shortly after, the ISDB (FFDB) data structure is downloaded on the FortiGate. The following message appears in the debug messages:

    do_ffsr_update[1567]-Starting  Update FFDB ondemand:(not final retry)
  3. Run diagnostics again to verify that the ISDB (FFDB) files are saved on the FortiGate flash drive:

    # diagnose autoupdate versions | grep Internet -A 6
    Internet-service On-Demand Database
    ---------
    Version: 7.02950
    Contract Expiry Date: n/a
    Last Updated using manual update on Fri Jan  6 06:45:00 2023
    Last Update Attempt: n/a
    Result: Updates Installed
  4. Since no services have been applied to a policy, the IP range and IP address values are blank in the the summary details. For example, check the summary details for ID 1245187, Fortinet DNS:

    # diagnose internet-service id-summary 1245187
    Version: 00007.02950
    Timestamp: 202301060645
    Total number of IP ranges: 3085
    Number of Groups: 1
    Group(0), Singularity(90), Number of IP ranges(3085)
    Internet Service: 1245187(Fortinet-DNS)
    Number of IP ranges: 0
    Number of IP addresses: 0
    Singularity: 0
    Icon Id: 19
    Direction: dst
    Data source: isdb
    Country: 
    Region: 
    City:
  5. Apply the Fortinet DNS service in a firewall policy:

    config firewall policy
        edit 1
            set name "FDNS"
            set srcintf "port1"
            set dstintf "wan1"
            set action accept
            set srcaddr "all"
            set internet-service enable
            set internet-service-name "Fortinet-DNS"
            set schedule "always"
            set nat enable
        next
    end
  6. Verify the summary details again for ID 1245187 (Fortinet DNS). There is now data for the IP range and IP address values:

    # diagnose internet-service id-summary 1245187
    Version: 00007.02951
    Timestamp: 202301061144
    Total number of IP ranges: 3558
    Number of Groups: 2
    Group(0), Singularity(90), Number of IP ranges(3078)
    Group(1), Singularity(10), Number of IP ranges(480)
    Internet Service: 1245187(Fortinet-DNS)
    Number of IP ranges: 480
    Number of IP addresses: 55242
    Singularity: 10
    Icon Id: 19
    Direction: dst
    Data source: isdb
    Country: 12 32 36 40 56 124 158 170 203 222 250 276 320 332 344 356 360 372 380 392 458 484 
            528 591 600 604 642 643 702 764 784 807 826 840 
    Region: 55 132 159 169 251 261 283 444 501 509 529 565 596 634 697 709 721 742 744 758 776 860 
            1002 1056 1073 1151 1180 1190 1195 1216 1264 1280 1283 1284 1287 1290 1315 1319 1348 1363 1373 1380 1387 
            1437 1457 1509 1536 1539 1660 1699 1740 1752 1776 1777 1826 1833 1874 1906 1965 2014 2028 2039 2060 2063 
            2147 2206 65535 
    City: 615 679 818 1001 1106 1117 1180 1207 1330 1668 1986 2139 2812 2868 3380 3438 3485 3670 4276 4588 4622 4904 
            5334 5549 5654 5827 6322 6325 6330 6355 6652 7844 9055 10199 10333 11420 12930 13426 13685 13769 14107 14813 15121 
            15220 15507 15670 16347 16561 16564 16567 16631 17646 17746 17885 17975 17995 18071 18476 19066 19285 20784 21065 21092 21136 
            21146 21266 21337 21779 21993 22292 22414 22912 23352 23367 23487 23574 23635 23871 23963 24076 24203 24298 24611 24955 25050 
            25332 26854 27192 27350 28825 28866 65535
To verify MAC vendor information:
# diagnose vendor-mac id 1
Vendor MAC: 1(ASUS)
Version: 0000100146
Timestamp: 202301031100
Number of MAC ranges: 85
00:04:0f:00:00:00 - 00:04:0f:ff:ff:ff
00:0c:6e:00:00:00 - 00:0c:6e:ff:ff:ff
00:0e:a6:00:00:00 - 00:0e:a6:ff:ff:ff
...

Internet Service Database on-demand mode NEW

Internet Service Database (ISDB) on-demand mode replaces the full-sized ISDB file with a much smaller file that is downloaded onto the flash drive. This file contains only the essential entries for Internet Services. When a service is used in a firewall policy, the FortiGate queries FortiGuard to download the IP addresses and stores them on the flash drive. The FortiGate also queries the local MAC Database (MADB) for corresponding MAC information. The content of the ISDB entries used in firewall policies persists through reboots.

To enable ISDB (FFDB) on-demand mode:
  1. Configure the global setting:

    config system global
        set internet-service-database on-demand
    end

    All FFDB files are erased.

  2. Verify that there are no ISDB (FFDB) files:

    # diagnose autoupdate versions | grep Internet -A 6
    Internet-service On-Demand Database
    ---------
    Version: 0.00000
    Contract Expiry Date: n/a
    Last Updated using manual update on Mon Jan  1 00:00:00 2001
    Last Update Attempt: n/a
    Result: Updates Installed

    Shortly after, the ISDB (FFDB) data structure is downloaded on the FortiGate. The following message appears in the debug messages:

    do_ffsr_update[1567]-Starting  Update FFDB ondemand:(not final retry)
  3. Run diagnostics again to verify that the ISDB (FFDB) files are saved on the FortiGate flash drive:

    # diagnose autoupdate versions | grep Internet -A 6
    Internet-service On-Demand Database
    ---------
    Version: 7.02950
    Contract Expiry Date: n/a
    Last Updated using manual update on Fri Jan  6 06:45:00 2023
    Last Update Attempt: n/a
    Result: Updates Installed
  4. Since no services have been applied to a policy, the IP range and IP address values are blank in the the summary details. For example, check the summary details for ID 1245187, Fortinet DNS:

    # diagnose internet-service id-summary 1245187
    Version: 00007.02950
    Timestamp: 202301060645
    Total number of IP ranges: 3085
    Number of Groups: 1
    Group(0), Singularity(90), Number of IP ranges(3085)
    Internet Service: 1245187(Fortinet-DNS)
    Number of IP ranges: 0
    Number of IP addresses: 0
    Singularity: 0
    Icon Id: 19
    Direction: dst
    Data source: isdb
    Country: 
    Region: 
    City:
  5. Apply the Fortinet DNS service in a firewall policy:

    config firewall policy
        edit 1
            set name "FDNS"
            set srcintf "port1"
            set dstintf "wan1"
            set action accept
            set srcaddr "all"
            set internet-service enable
            set internet-service-name "Fortinet-DNS"
            set schedule "always"
            set nat enable
        next
    end
  6. Verify the summary details again for ID 1245187 (Fortinet DNS). There is now data for the IP range and IP address values:

    # diagnose internet-service id-summary 1245187
    Version: 00007.02951
    Timestamp: 202301061144
    Total number of IP ranges: 3558
    Number of Groups: 2
    Group(0), Singularity(90), Number of IP ranges(3078)
    Group(1), Singularity(10), Number of IP ranges(480)
    Internet Service: 1245187(Fortinet-DNS)
    Number of IP ranges: 480
    Number of IP addresses: 55242
    Singularity: 10
    Icon Id: 19
    Direction: dst
    Data source: isdb
    Country: 12 32 36 40 56 124 158 170 203 222 250 276 320 332 344 356 360 372 380 392 458 484 
            528 591 600 604 642 643 702 764 784 807 826 840 
    Region: 55 132 159 169 251 261 283 444 501 509 529 565 596 634 697 709 721 742 744 758 776 860 
            1002 1056 1073 1151 1180 1190 1195 1216 1264 1280 1283 1284 1287 1290 1315 1319 1348 1363 1373 1380 1387 
            1437 1457 1509 1536 1539 1660 1699 1740 1752 1776 1777 1826 1833 1874 1906 1965 2014 2028 2039 2060 2063 
            2147 2206 65535 
    City: 615 679 818 1001 1106 1117 1180 1207 1330 1668 1986 2139 2812 2868 3380 3438 3485 3670 4276 4588 4622 4904 
            5334 5549 5654 5827 6322 6325 6330 6355 6652 7844 9055 10199 10333 11420 12930 13426 13685 13769 14107 14813 15121 
            15220 15507 15670 16347 16561 16564 16567 16631 17646 17746 17885 17975 17995 18071 18476 19066 19285 20784 21065 21092 21136 
            21146 21266 21337 21779 21993 22292 22414 22912 23352 23367 23487 23574 23635 23871 23963 24076 24203 24298 24611 24955 25050 
            25332 26854 27192 27350 28825 28866 65535
To verify MAC vendor information:
# diagnose vendor-mac id 1
Vendor MAC: 1(ASUS)
Version: 0000100146
Timestamp: 202301031100
Number of MAC ranges: 85
00:04:0f:00:00:00 - 00:04:0f:ff:ff:ff
00:0c:6e:00:00:00 - 00:0c:6e:ff:ff:ff
00:0e:a6:00:00:00 - 00:0e:a6:ff:ff:ff
...