This topic shows how to apply a predefined Internet Service entry into a policy.
The Internet Service Database is a comprehensive public IP address database that combines IP address range, IP owner, service port number, and IP security credibility. The data comes from the FortiGuard service system. Information is regularly added to this database, for example, geographic location, IP reputation, popularity & DNS, and so on. All this information helps users define Internet security more effectively. You can use the contents of the database as criteria for inclusion or exclusion in a policy.
From FortiOS version 5.6, Internet Service is included in the firewall policy. It can be applied to a policy only as a destination object. From version 6.0, Internet Service can be applied both as source and destination objects in a policy. You can also apply Internet Services to shaping policy.
There are three types of Internet Services you can apply to a firewall policy:
- Predefined Internet Services
- Custom Internet Services
- Extension Internet Services
Go to Policy & Objects > Firewall Policy and click Create New.
Click in the Destination field.
In the Select Entries pane, click Internet Service and select Google-Gmail.
Configure the remaining fields as needed.
In the CLI, enable the
internet-service first and then use its ID to apply the policy.
This example uses Google Gmail and its ID is 65646. Each Internet Service has a unique ID.
config firewall policy edit 9 set name "Internet Service in Policy" set srcintf "wan2" set dstintf "wan1" set srcaddr "all" set internet-service enable set internet-service-id 65646 set action accept set schedule "always" set utm-status enable set av-profile "g-default" set ssl-ssh-profile "certificate-inspection" set nat enable next end
# diagnose internet-service id-summary 65646 Version: 0000600096 Timestamp: 201902111802 Total number of IP ranges: 444727 Number of Groups: 7 Group(0), Singularity(20), Number of IP ranges(142740) Group(1), Singularity(19), Number of IP ranges(1210) Group(2), Singularity(16), Number of IP ranges(241) Group(3), Singularity(15), Number of IP ranges(38723) Group(4), Singularity(10), Number of IP ranges(142586) Group(5), Singularity(8), Number of IP ranges(5336) Group(6), Singularity(6), Number of IP ranges(113891) Internet Service: 65646(Google.Gmail) Number of IP range: 60 Number of IP numbers: 322845 Singularity: 15 Reputation: 5(Known and verified safe sites such as Gmail, Amazon, eBay, etc.) Icon Id: 510 Second Level Domain: 53(gmail.com) Direction: dst Data source: isdb
Because the IP and services related to Google Gmail on the Internet are included in this Internet Service (65646), all traffic to Google Gmail is forwarded by this policy.