Introduction
Understanding how to effectively configure a firewall policy with Internet Service entries can dramatically enhance the security and management capabilities of your FortiGate firewall. This guide walks you through the procedure of integrating predefined Internet Service entries, leveraging FortiGuard’s robust IP database, to refine your security policies.
Purpose of Using Internet Services in Policies
The Internet Service Database (ISDB) offers an expansive public IP address database. It amalgamates key components such as IP ranges, IP owner details, service port numbers, and IP security credibility—all sourced from the FortiGuard service system. With frequent updates—including geographic location, IP reputation, and DNS information—this database empowers users to establish more precisely defined security parameters.
Types of Internet Services
- Predefined Internet Services: These are readily available entries within the FortiGate system, sourced directly from FortiGuard.
- Custom Internet Services: Tailored entries that you can define based on specific requirements not covered by predefined entries.
- Extension Internet Services: These extend existing Internet Service definitions with additional parameters or applications.
Application in Firewall Policy
Since FortiOS version 5.6, Internet Service entries can be added as destination objects in firewall policies. Starting from version 6.0, they can also be applied as source objects, expanding their utility in shaping regulatory policies.
Configuring Internet Service in Firewall Policy
Using the GUI (Graphical User Interface)
IPv4 Configuration
- Navigate to Policy & Objects > Firewall Policy and select Create New.
- In the Destination field, choose Internet Service from the dropdown list.
- Select an Internet Service entry like Google-Gmail. Configure additional fields as needed and click OK.
IPv6 Configuration
- Go to Policy & Objects > Firewall Policy and click Create New.
- In the Destination section, select Internet Service from the dropdown list and choose an IPv6 entry such as Google-Gmail.
- Optionally, view the details of the IPv6 range by clicking View/Edit Entries, then finalize the configuration by clicking OK.
Using the CLI (Command Line Interface)
IPv4 Configuration
Enable and configure an Internet Service entry using the CLI:
config firewall policy
edit 9
set name "Internet Service in Policy"
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set internet-service enable
set internet-service-id 65646
set action accept
set schedule "always"
set utm-status enable
set av-profile "g-default"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end
IPv6 Configuration
Configure an IPv6 Internet Service entry with the following steps:
config firewall policy
edit 4
set name "Internet Service6 policy"
set srcintf "vlan100"
set dstintf "wan1"
set action accept
set srcaddr6 "all"
set internet-service6 enable
set internet-service6-name "Google-Gmail"
set schedule "always"
set nat enable
next
end
Conclusion
By integrating Internet Service entries into your firewall policies, you ensure a more granular control over network security, benefiting from the comprehensive FortiGuard IP database. Whether using the GUI or CLI, these configurations empower you to tailor internet access and constraint policies effectively, steering network usage towards secure and legitimate services.