A feature called Internet service DB(ISDB) is introduce on ForitOS. Using this feature you could write firewall policy and Route and ask Fortigate to take Necessary action based on the Application IP DB it has.
This feature was introduced in FortiOS v5.4 and above. NOTE: ISDB updates require active FortiCare support contact, no FortiGuard subscription required.
During FortiOS v5.2 days you could create a firewall policy with FQDN to Block/Allow users based website Hostname. However that is no more an option from v5.4 and above(not supported)
Blocking/allowing user access based on Public Application IP address is not a easy task. There will be dozens of IP address “Ex: Facebook an Google” and its not easy to manage the IP DB by Every one, While new IP address’s will always get added to this list.
So , You could now take advantage of this feature ISDB and manage the Dynamic changes of IP address.
>While running the following command will show you the available and updated signature DB on fortigate. And you should see ISDB also showing up there.
# diagnose autoupdate versions
>Inorder to list out the IPs address on DB for a particular Application (or) can see through GUI also.
# diagnose firewall internet-service list 3604481
‘3604481’ is application ID for Github-Web.
NOTE: I have chosen Application GitHub just for my examples.
>FortiOS also lets you to create your own custom ISDB, this helps customer to manage their own list on top of what FortiOS is offering. You could list your custom object after you create one like below.
# diagnose firewall internet-service-custom list
List internet service in kernel(custom):
name=Git-custom, id=4294901760 flags=0x0 protocol=6 port=80-65535 1-65535
addr ip range(1): 200.X.X.X-200.X.X.X
>You could also Add more IP address that you feel ISDB missing for an application by just creating a custom object mentioning the master-service-id
# config firewall internet-service-custom
(internet-service~tom) # show
config firewall internet-service-custom
set master-service-id 3604481
set comment “git”
set protocol 6
set start-port 80
set dst “x.x.x.x”
>You could create a firewall policy with Existing Internet service DB available or customer Internet service DB created while also doing route control.