Hot!Has anyone spotted any issues with internet service database (ISD) in 6.2.2

Author
James_G
Silver Member
  • Total Posts : 109
  • Scores: 5
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline
2019/11/17 08:45:44 (permalink)
0

Has anyone spotted any issues with internet service database (ISD) in 6.2.2

As title - not working for me in firewall policies
 
I have a ticket open, but wonder if anyone seen the same?
#1

8 Replies Related Threads

    boneyard
    Gold Member
    • Total Posts : 183
    • Scores: 8
    • Reward points: 0
    • Joined: 2014/07/30 11:15:18
    • Status: offline
    Re: Has anyone spotted any issues with internet service database (ISD) in 6.2.2 2019/11/29 00:56:10 (permalink)
    0
    didnt see an issue, how is it exactly not working?
    #2
    James_G
    Silver Member
    • Total Posts : 109
    • Scores: 5
    • Reward points: 0
    • Joined: 2016/02/28 02:55:47
    • Status: offline
    Re: Has anyone spotted any issues with internet service database (ISD) in 6.2.2 2019/11/30 17:12:12 (permalink)
    0
    Logged support call, they pointed out behaviour changes in 6.2.2 (in release notes) where ISD is used for source addresses. I had to change the previous working config to a different ISD entry to get service back.

    The rule in question was for source addresses from Office 365 mail, had to change to a new entry called Office365.published.
    #3
    tanr
    Platinum Member
    • Total Posts : 696
    • Scores: 31
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Has anyone spotted any issues with internet service database (ISD) in 6.2.2 2019/12/01 09:23:04 (permalink)
    0
    @James_G, can you give more detail on why you had to change?  Did you have a source port specified?  Or was something else going on?
     
    From the release notes: Only IP and Protocol are matched and source port is ignored when ISDB is applied as source in policy.  But it seems like this wouldn't usually cause issues.
    #4
    James_G
    Silver Member
    • Total Posts : 109
    • Scores: 5
    • Reward points: 0
    • Joined: 2016/02/28 02:55:47
    • Status: offline
    Re: Has anyone spotted any issues with internet service database (ISD) in 6.2.2 2019/12/03 04:03:18 (permalink)
    0
    Cut / paste from Fortinet support:
     
    The root cause is that ISDB uses 3 parameters (protocol, port and IP address) to identify a service. In most cases, it is correct. Unfortunately, it is not true for the Office365 case as a source.

    As TCP traffic usually selects a random port as source port. So, we just ignore the port when identifying an Internet service as source. As an example, the traffic is simplified to <6, 0, 104.47.12.50> from <6, 38045, 104.47.12.50>. In the ISDB, this <6, 104.47.12.50> matches another internet service 327880. So, the traffic is getting recognized as 327880. Therefore, we are having an unmatched case.
    #5
    boneyard
    Gold Member
    • Total Posts : 183
    • Scores: 8
    • Reward points: 0
    • Joined: 2014/07/30 11:15:18
    • Status: offline
    Re: Has anyone spotted any issues with internet service database (ISD) in 6.2.2 2019/12/05 09:57:39 (permalink)
    0
    when would you use Office365 as a source?
    #6
    James_G
    Silver Member
    • Total Posts : 109
    • Scores: 5
    • Reward points: 0
    • Joined: 2016/02/28 02:55:47
    • Status: offline
    Re: Has anyone spotted any issues with internet service database (ISD) in 6.2.2 2019/12/05 10:55:21 (permalink)
    0
    Office 365 hybrid setup, the cloud based components need access to the on prem exchange ews virtual directory, but I want to prevent access to this resource from anywhere else on the net.
    #7
    boneyard
    Gold Member
    • Total Posts : 183
    • Scores: 8
    • Reward points: 0
    • Joined: 2014/07/30 11:15:18
    • Status: offline
    Re: Has anyone spotted any issues with internet service database (ISD) in 6.2.2 2019/12/05 11:05:46 (permalink)
    0
    ah interesting way to use it. would think that many of the IPs are just for incoming traffic towards Office.365, but i assume enough of them did work for this setup?
    #8
    James_G
    Silver Member
    • Total Posts : 109
    • Scores: 5
    • Reward points: 0
    • Joined: 2016/02/28 02:55:47
    • Status: offline
    Re: Has anyone spotted any issues with internet service database (ISD) in 6.2.2 2019/12/05 11:15:04 (permalink)
    4 (1)
    It's not perfect, the source could be from one of 40,000 IP address, but at lease them 40,000 IP address are from a trusted source (ish) and we prevent the other 4 billion address from getting access.

    No way to narrow this down further as the source totally changes time to time, as o365 tennents get moved around data centers.
    #9
    Jump to:
    © 2019 APG vNext Commercial Version 5.5