Allow creation of ISDB objects with regional information
Geographic-based Internet Service Database (ISDB) objects allow users to define a country, region, and city. These objects can be used in firewall policies for more granular control over the location of the parent ISDB object. ISDB objects are now referenced in policies by name instead of ID.
To apply a location-based ISDB object to a policy in the GUI:
-
Create the ISDB object:
-
Go to Policy & Objects > Internet Service Database and click Create New > Geographic Based Internet Service.
-
Configure the settings as required.
-
Click OK.
-
-
View the IP ranges in the location-based internet service:
-
Go to Policy & Objects > Internet Service Database .
-
In the table, hover over the object created in step 1 and click View/Edit Entries. The list of IPs is displayed:
-
Click Return.
-
-
Add the ISDB object to a policy:
-
Go to Policy & Objects > Firewall Policy and create a new policy or edit an existing one.
-
For Destination, select Internet Service from the dropdown list and select the ISDB object created in step 1.
-
Configure the other settings as needed.
-
Click OK.
-
To apply a location-based ISDB object to a policy in the CLI:
- Create the ISDB object:
config firewall internet-service-name edit "test-location-isdb-1" set type location set internet-service-id 65536 set country-id 840 set region-id 283 set city-id 23352 next end
- View the IP ranges in the location-based internet service:
# diagnose internet-service id 65536 | grep "country(840) region(283) city(23352)" 96.45.33.73-96.45.33.73 country(840) region(283) city(23352) blocklist(0x0) reputation(4), domain(5) popularity(0) botnet(0) proto(6) port(1-65535) 96.45.33.73-96.45.33.73 country(840) region(283) city(23352) blocklist(0x0) reputation(4), domain(5) popularity(0) botnet(0) proto(17) port(1-65535) 198.94.221.56-198.94.221.56 country(840) region(283) city(23352) blocklist(0x0) reputation(4), domain(5) popularity(4) botnet(0) proto(6) port(1-65535) 198.94.221.56-198.94.221.56 country(840) region(283) city(23352) blocklist(0x0) reputation(4), domain(5) popularity(4) botnet(0) proto(17) port(1-65535)
- Add the ISDB object to a policy:
config firewall policy edit 3 set name "PC to Google" set srcintf "port2" set dstintf "port1" set srcaddr "PC" set internet-service enable set internet-service-name "test-location-isdb-1" set action accept set schedule "always" set logtraffic all set logtraffic-start enable set auto-asic-offload disable set nat enable next end