Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 6.4.12 Administration Guide
    6.4.12
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Internet service groups in policies

    Internet service groups in policies

    This feature provides support for Internet Service Groups in traffic shaping and firewall policies. Service groups can be used as the source and destination of the policy. Internet Service Groups are used as criteria to match traffic; the shaper will be applied when the traffic matches.

    To use a group as a destination, internet-service must be enabled. To use a group as a source, internet-service-src must be enabled.

    The following CLI variables are available in the firewall policy and firewall shaping-policy commands:

    Variable

    Description

    internet-service-group <string>

    Internet Service group name.

    internet-service-custom-group <string>

    Custom Internet Service group name.

    internet-service-src-group <string>

    Internet Service source group name.

    internet-service-src-custom-group <string>

    Custom Internet Service source group name.

    Examples

    The following examples use the below topology.

    Example 1

    In this example, the PC is allowed to access Google, so all Google services are put into an Internet Service Group.

    To configure access to Google services using an Internet Service Group using the CLI:
    1. Create a Service Group:
      config firewall internet-service-group
    edit "Google_Group"
        set direction destination
        set member 65537 65538 65539 65540 65542 65543 65544 65545 65550 65536 65646
    next
end
    2. Create a firewall policy to allow access to all Google Services from the PC:
      config firewall policy
    edit 1
        set name "PC to Google"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "PC"
        set internet-service enable
        set internet-service-group "Google_Group"
        set action accept
        set schedule "always"
        set fsso disable
        set nat enable
    next
end
    To configure access to Google services using an Internet Service Group in the GUI:
    1. On the FortiGate, create a Service Group using the CLI.
    2. Go to Policy & Objects > Firewall Policy, and create a new policy.
    3. Set the Destination as the just created Internet Service Group.

    4. Configure the remaining options as shown, then click OK.

      On the policy page, hover over the group to view a list of its members.

    Example 2

    In this example, two office FTP servers are put into an Internet Custom Service Group, and the PC connection to the FTP servers is limited to 1Mbps.

    To put two FTP servers into a custom service group and limit the PC connection speed to them using the CLI:
    1. Create custom internet services for the internal FTP servers:
      config firewall internet-service-custom
    edit "FTP_PM"
        config entry
            edit 1
                config port-range
                    edit 1
                        set start-port 21
                        set end-port 21
                    next
                end
                set dst "PM_Server"
            next
        end
    next
    edit "FTP_QA"
        config entry
            edit 1
                config port-range
                    edit 1
                        set start-port 21
                        set end-port 21
                    next
                end
                set dst "QA_Server"
            next
        end
    next
end
    2. Create a custom internet server group and add the just created custom internet services to it:
      config firewall internet-service-custom-group
    edit "Internal_FTP"
        set member "FTP_QA" "FTP_PM"
    next
end
    3. Create a traffic shaper to limit the maximum bandwidth:
      config firewall shaper traffic-shaper
    edit "Internal_FTP_Limit_1Mbps"
        set guaranteed-bandwidth 500
        set maximum-bandwidth 1000
        set priority medium
    next
end
    4. Create a firewall shaping policy to limit the speed from the PC to the internal FTP servers:
      config firewall shaping-policy
    edit 1
        set name "For Internal FTP"
        set internet-service enable
        set internet-service-custom-group "Internal_FTP"
        set dstintf "port1"
        set traffic-shaper "Internal_FTP_Limit_1Mbps"
        set traffic-shaper-reverse "Internal_FTP_Limit_1Mbps"
        set srcaddr "PC"
    next
end
    To put two FTP servers into a custom service group and limit the PC connection speed to the using the GUI:
    1. Create custom internet services for the internal FTP servers using the CLI.
    2. Create a custom internet server group and add the just created custom internet services to it using the CLI.
    3. Create a traffic shaper to limit the maximum bandwidth:
      1. Go to Policy & Objects > Traffic Shapers, and click Create New.
      2. Enter a Name for the shaper, such as Internal_FTP_Limit_1Mbps.
      3. Set the Traffic Priority to Medium.
      4. Enable Max Bandwidth and set it to 1000.
      5. Enable Guaranteed Bandwidth and set it to 500.
      6. Click OK.
    4. Create a firewall shaping policy to limit the speed from the PC to the internal FTP servers:
      1. Go to Policy & Objects > Traffic Shaping Policy, and click Create New.
      2. Set the Destination as the just created Custom Internet Service Group, and apply the just create traffic shaper.

      3. Configure the remaining options as shown, then click OK.
    Previous
    Next

    Internet service groups in policies

    Internet service groups in policies

    This feature provides support for Internet Service Groups in traffic shaping and firewall policies. Service groups can be used as the source and destination of the policy. Internet Service Groups are used as criteria to match traffic; the shaper will be applied when the traffic matches.

    To use a group as a destination, internet-service must be enabled. To use a group as a source, internet-service-src must be enabled.

    The following CLI variables are available in the firewall policy and firewall shaping-policy commands:

    Variable

    Description

    internet-service-group <string>

    Internet Service group name.

    internet-service-custom-group <string>

    Custom Internet Service group name.

    internet-service-src-group <string>

    Internet Service source group name.

    internet-service-src-custom-group <string>

    Custom Internet Service source group name.

    Examples

    The following examples use the below topology.

    Example 1

    In this example, the PC is allowed to access Google, so all Google services are put into an Internet Service Group.

    To configure access to Google services using an Internet Service Group using the CLI:
    1. Create a Service Group:
      config firewall internet-service-group
    edit "Google_Group"
        set direction destination
        set member 65537 65538 65539 65540 65542 65543 65544 65545 65550 65536 65646
    next
end
    2. Create a firewall policy to allow access to all Google Services from the PC:
      config firewall policy
    edit 1
        set name "PC to Google"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "PC"
        set internet-service enable
        set internet-service-group "Google_Group"
        set action accept
        set schedule "always"
        set fsso disable
        set nat enable
    next
end
    To configure access to Google services using an Internet Service Group in the GUI:
    1. On the FortiGate, create a Service Group using the CLI.
    2. Go to Policy & Objects > Firewall Policy, and create a new policy.
    3. Set the Destination as the just created Internet Service Group.

    4. Configure the remaining options as shown, then click OK.

      On the policy page, hover over the group to view a list of its members.

    Example 2

    In this example, two office FTP servers are put into an Internet Custom Service Group, and the PC connection to the FTP servers is limited to 1Mbps.

    To put two FTP servers into a custom service group and limit the PC connection speed to them using the CLI:
    1. Create custom internet services for the internal FTP servers:
      config firewall internet-service-custom
    edit "FTP_PM"
        config entry
            edit 1
                config port-range
                    edit 1
                        set start-port 21
                        set end-port 21
                    next
                end
                set dst "PM_Server"
            next
        end
    next
    edit "FTP_QA"
        config entry
            edit 1
                config port-range
                    edit 1
                        set start-port 21
                        set end-port 21
                    next
                end
                set dst "QA_Server"
            next
        end
    next
end
    2. Create a custom internet server group and add the just created custom internet services to it:
      config firewall internet-service-custom-group
    edit "Internal_FTP"
        set member "FTP_QA" "FTP_PM"
    next
end
    3. Create a traffic shaper to limit the maximum bandwidth:
      config firewall shaper traffic-shaper
    edit "Internal_FTP_Limit_1Mbps"
        set guaranteed-bandwidth 500
        set maximum-bandwidth 1000
        set priority medium
    next
end
    4. Create a firewall shaping policy to limit the speed from the PC to the internal FTP servers:
      config firewall shaping-policy
    edit 1
        set name "For Internal FTP"
        set internet-service enable
        set internet-service-custom-group "Internal_FTP"
        set dstintf "port1"
        set traffic-shaper "Internal_FTP_Limit_1Mbps"
        set traffic-shaper-reverse "Internal_FTP_Limit_1Mbps"
        set srcaddr "PC"
    next
end
    To put two FTP servers into a custom service group and limit the PC connection speed to the using the GUI:
    1. Create custom internet services for the internal FTP servers using the CLI.
    2. Create a custom internet server group and add the just created custom internet services to it using the CLI.
    3. Create a traffic shaper to limit the maximum bandwidth:
      1. Go to Policy & Objects > Traffic Shapers, and click Create New.
      2. Enter a Name for the shaper, such as Internal_FTP_Limit_1Mbps.
      3. Set the Traffic Priority to Medium.
      4. Enable Max Bandwidth and set it to 1000.
      5. Enable Guaranteed Bandwidth and set it to 500.
      6. Click OK.
    4. Create a firewall shaping policy to limit the speed from the PC to the internal FTP servers:
      1. Go to Policy & Objects > Traffic Shaping Policy, and click Create New.
      2. Set the Destination as the just created Custom Internet Service Group, and apply the just create traffic shaper.

      3. Configure the remaining options as shown, then click OK.
    Previous
    Next