Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.6.2 Administration Guide
    7.6.2
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Apply FQDN address groups within the ISDB

    Apply FQDN address groups within the ISDB

    Fully Qualified Domain Name (FQDN) address groups can be applied within the Internet Service Database (ISDB), addressing the challenge of frequently changing IP addresses and ensuring accurate and reliable firewall policies. Predefined, built-in FQDN address groups are available as custom Internet services and can be applied to various firewall policies using the internet-service-custom command.

    The following diagnose commands identify predefined FQDNs:

    # diagnose ffdb-fqdn custom-list [<Predefined Internet service name>]
# diagnose ffdb-fqdn custom-get <Predefined FQDN name>

    Command

    Description

    ffdb-fqdn custom-list

    List which specific FQDNs are included in a built-in FQDN entry.

    If the custom name of the predefined Internet service is appended to the end of the command, only that entry's information is displayed. If a custom name is not defined, all entries in the current database will be listed.

    ffdb-fqdn custom-get

    Determine which built-in FQDN entry the given FQDN name belongs to.
    To list built-in FQDNs included in an FQDN entry:
    # diagnose ffdb-fqdn custom-list g-BuiltIn-Microsoft-Microsoft.Update

Version: 00007.03913
Timestamp: 202410251745
Format: 1
MD5SUM: f6091dd5132f25bec4294442918e0c35

List BuiltIn FQDNs for g-BuiltIn-Microsoft-Microsoft.Update:

*.dsp.mp.microsoft.com; *.windowsupdate.com; windowsupdate.microsoft.com; *.update.microsoft.com; *.download.microsoft.com; wustat.windows.com; ntservicepack.microsoft.com; *.delivery.mp.microsoft.com; devicelistenerprod.microsoft.com;
    To determine which entry a given FQDN is included in:
    # diagnose ffdb-fqdn custom-get windowsupdate.microsoft.com

Version: 00007.03913
Timestamp: 202410251745
Format: 1
MD5SUM: f6091dd5132f25bec4294442918e0c35

Get BuiltIn Custom Name for windowsupdate.microsoft.com:

g-BuiltIn-Microsoft-Microsoft.Update

    Example

    In the following example, a predefined FQDN Internet service, g-BuiltIn-Microsoft-Microsoft.Update, is applied to a firewall policy. We will then review how the customer Internet service is loaded in the kernel and try to send packet sot the FortiGate from the client to hit the policy. Finally, we will review the Internet service related fields in the traffic logs.

    To apply FQDN address groups within the ISDB:

    1. Apply the built-in FQDN entry to the firewall policy:

      config firewall policy
    edit 1
        set name "isdb-policy"
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set internet-service enable
        set internet-service-custom "g-BuiltIn-Microsoft-Microsoft.Update"
        set schedule "always"
        set logtraffic all
        set auto-asic-offload disable
        set nat enable
    next
end

    2. Review how the FQDN entry is loaded into the kernel:

      # diagnose firewall iprope list 100004 | grep -A 16 index=1

policy index=1 uuid_idx=8207 action=accept
flag (8050109): log redir nat master use_src pol_stats
flag2 (6200): no_asic log_fail resolve_sso
flag3 (a0): link-local best-route
flag4 (200): port-preserve
schedule(always)
cos_fwd=255  cos_rev=255
group=00100004 av=00004e20 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 8 -> zone(1): 7
source(1): 0.0.0.0-255.255.255.255, uuid_idx=8050,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=8050,
service(1):
        [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto 
internet service(1): g-BuiltIn-Microsoft-Microsoft.Update(4278190087,0,0,0)

    3. Review the FQDN domain name and corresponding IP address information contained in the built-in FQDN entry are listed. The resolution of these domain names comes from the DNS server set by the FortiGate.

      # diagnose firewall internet-service-custom list

List internet service in kernel(custom):
name=g-BuiltIn-Microsoft-Microsoft.Update id=4278190087 reputation=3 Unverified site. singularity=0 flags=0x0 protocol=0
fqdn=(9):
        devicelistenerprod.microsoft.com ID(26) ADDR(172.179.72.126)
        *.download.microsoft.com ID(42)
        *.update.microsoft.com ID(79)
        *.dsp.mp.microsoft.com ID(83)
        ntservicepack.microsoft.com ID(147) ADDR(20.72.235.82)
        windowsupdate.microsoft.com ID(210) ADDR(20.72.235.82)
        wustat.windows.com ID(216)
        *.windowsupdate.com ID(241)
        *.delivery.mp.microsoft.com ID(339)

    4. Send packets from the client to the FQDN domain windowsupdate.microsoft.com, which is one of the FQDN domains included in g-BuiltIn-Microsoft-Microsoft.Update. The traffic will hit and be forwarded by the firewall policy.

      1: date=2024-10-16 time=12:30:24 eventtime=1729107023938309279 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.41 srcport=46900 srcintf="port2" srcintfrole="undefined" dstip=20.72.235.82 dstport=443 dstintf="port1" dstintfrole="undefined" srcuuid="5cfbeb4e-b05e-51ee-233c-5026f6bf6d00" srccountry="Reserved" dstcountry="United States" dstreputation=3 sessionid=1243 proto=6 action="close" policyid=1 policytype="policy" poluuid="ea3d8560-ea62-51ee-fa88-20dfc247a38c" policyname="isdb-policy" dstinetsvc=" g-BuiltIn-Microsoft-Microsoft.Update" service=" g-BuiltIn-Microsoft-Microsoft.Update" trandisp="snat" transip=172.16.200.6 transport=46900 appcat="unscanned" duration=2 sentbyte=1623 rcvdbyte=5268m sentpkt=16 rcvdpkt=13
    Previous
    Next

    Apply FQDN address groups within the ISDB

    Apply FQDN address groups within the ISDB

    Fully Qualified Domain Name (FQDN) address groups can be applied within the Internet Service Database (ISDB), addressing the challenge of frequently changing IP addresses and ensuring accurate and reliable firewall policies. Predefined, built-in FQDN address groups are available as custom Internet services and can be applied to various firewall policies using the internet-service-custom command.

    The following diagnose commands identify predefined FQDNs:

    # diagnose ffdb-fqdn custom-list [<Predefined Internet service name>]
# diagnose ffdb-fqdn custom-get <Predefined FQDN name>

    Command

    Description

    ffdb-fqdn custom-list

    List which specific FQDNs are included in a built-in FQDN entry.

    If the custom name of the predefined Internet service is appended to the end of the command, only that entry's information is displayed. If a custom name is not defined, all entries in the current database will be listed.

    ffdb-fqdn custom-get

    Determine which built-in FQDN entry the given FQDN name belongs to.
    To list built-in FQDNs included in an FQDN entry:
    # diagnose ffdb-fqdn custom-list g-BuiltIn-Microsoft-Microsoft.Update

Version: 00007.03913
Timestamp: 202410251745
Format: 1
MD5SUM: f6091dd5132f25bec4294442918e0c35

List BuiltIn FQDNs for g-BuiltIn-Microsoft-Microsoft.Update:

*.dsp.mp.microsoft.com; *.windowsupdate.com; windowsupdate.microsoft.com; *.update.microsoft.com; *.download.microsoft.com; wustat.windows.com; ntservicepack.microsoft.com; *.delivery.mp.microsoft.com; devicelistenerprod.microsoft.com;
    To determine which entry a given FQDN is included in:
    # diagnose ffdb-fqdn custom-get windowsupdate.microsoft.com

Version: 00007.03913
Timestamp: 202410251745
Format: 1
MD5SUM: f6091dd5132f25bec4294442918e0c35

Get BuiltIn Custom Name for windowsupdate.microsoft.com:

g-BuiltIn-Microsoft-Microsoft.Update

    Example

    In the following example, a predefined FQDN Internet service, g-BuiltIn-Microsoft-Microsoft.Update, is applied to a firewall policy. We will then review how the customer Internet service is loaded in the kernel and try to send packet sot the FortiGate from the client to hit the policy. Finally, we will review the Internet service related fields in the traffic logs.

    To apply FQDN address groups within the ISDB:

    1. Apply the built-in FQDN entry to the firewall policy:

      config firewall policy
    edit 1
        set name "isdb-policy"
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set internet-service enable
        set internet-service-custom "g-BuiltIn-Microsoft-Microsoft.Update"
        set schedule "always"
        set logtraffic all
        set auto-asic-offload disable
        set nat enable
    next
end

    2. Review how the FQDN entry is loaded into the kernel:

      # diagnose firewall iprope list 100004 | grep -A 16 index=1

policy index=1 uuid_idx=8207 action=accept
flag (8050109): log redir nat master use_src pol_stats
flag2 (6200): no_asic log_fail resolve_sso
flag3 (a0): link-local best-route
flag4 (200): port-preserve
schedule(always)
cos_fwd=255  cos_rev=255
group=00100004 av=00004e20 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 8 -> zone(1): 7
source(1): 0.0.0.0-255.255.255.255, uuid_idx=8050,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=8050,
service(1):
        [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto 
internet service(1): g-BuiltIn-Microsoft-Microsoft.Update(4278190087,0,0,0)

    3. Review the FQDN domain name and corresponding IP address information contained in the built-in FQDN entry are listed. The resolution of these domain names comes from the DNS server set by the FortiGate.

      # diagnose firewall internet-service-custom list

List internet service in kernel(custom):
name=g-BuiltIn-Microsoft-Microsoft.Update id=4278190087 reputation=3 Unverified site. singularity=0 flags=0x0 protocol=0
fqdn=(9):
        devicelistenerprod.microsoft.com ID(26) ADDR(172.179.72.126)
        *.download.microsoft.com ID(42)
        *.update.microsoft.com ID(79)
        *.dsp.mp.microsoft.com ID(83)
        ntservicepack.microsoft.com ID(147) ADDR(20.72.235.82)
        windowsupdate.microsoft.com ID(210) ADDR(20.72.235.82)
        wustat.windows.com ID(216)
        *.windowsupdate.com ID(241)
        *.delivery.mp.microsoft.com ID(339)

    4. Send packets from the client to the FQDN domain windowsupdate.microsoft.com, which is one of the FQDN domains included in g-BuiltIn-Microsoft-Microsoft.Update. The traffic will hit and be forwarded by the firewall policy.

      1: date=2024-10-16 time=12:30:24 eventtime=1729107023938309279 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.41 srcport=46900 srcintf="port2" srcintfrole="undefined" dstip=20.72.235.82 dstport=443 dstintf="port1" dstintfrole="undefined" srcuuid="5cfbeb4e-b05e-51ee-233c-5026f6bf6d00" srccountry="Reserved" dstcountry="United States" dstreputation=3 sessionid=1243 proto=6 action="close" policyid=1 policytype="policy" poluuid="ea3d8560-ea62-51ee-fa88-20dfc247a38c" policyname="isdb-policy" dstinetsvc=" g-BuiltIn-Microsoft-Microsoft.Update" service=" g-BuiltIn-Microsoft-Microsoft.Update" trandisp="snat" transip=172.16.200.6 transport=46900 appcat="unscanned" duration=2 sentbyte=1623 rcvdbyte=5268m sentpkt=16 rcvdpkt=13
    Previous
    Next