按需模式的ISDB
功能介绍
默认情况下,FortiGate会使用全尺寸ISDB库文件放置在Flash盘分区中。在某些较低端的型号中(如FortiGate-30E、FortiGate-50E等),由于硬件Flash容量较小,使用全尺寸ISDB库可能会导致Flash分区异常。
ISDB按需模式将全尺寸ISDB文件替换为小得多的文件。此文件仅包含互联网服务的基本条目。在防火墙策略/限速策略/SD-WAN规则中使用某个ISDB服务时,FortiGate会查询FortiGuard以下载对应ISDB条目的IP地址/端口信息并将其存储在Flash驱动器上。防火墙策略中使用的 ISDB 条目的内容在重新启动后仍然存在。
该功能在FortiOS 7.2.4 GA及更新版本支持。
配置步骤
在CLI下开启ISDB的on-demand模式,默认为standard模式,注意修改为on-demand模式后,已从FortiGuard下载的ISDB条目将会从Flash分区中删除,配置完成后,可以使用“execute update-ffdb-ondemand”下载on-demand模式的ISDB库,或者等待FortiGate的自动更新。
FortiGate # config sys global FortiGate (global) # set internet-service-database ? mini Small sized Internet Service database with very limited IP addresses. standard Medium sized Internet Service database with most IP addresses. full Full sized Internet Service database with all IP addresses. on-demand Internet Service database with customer selected IP addresses. FortiGate (global) # set internet-service-database on-demand FortiGate (global) # end Warning: Changing Internet Service database update mode will lead to the removal of all downloaded Internet Service files. Do you want to continue? (y/n)y Please run "execute update-ffdb-ondemand" to do explicit download or wait for automatic schedule update for configuration of Internet Service database此时查看FortiGate的ISDB库版本,Flash中的ISDB库已变为On-Demand模式,文件为空。
FortiGate # diagnose autoupdate versions | grep Internet -A 6 Internet-service On-Demand Database --------- Version: 0.00000 Contract Expiry Date: n/a Last Updated using scheduled update on Wed May 24 10:53:22 2023 Last Update Attempt: Wed May 24 17:23:10 2023 Result: No Updates使用“execute update-ffdb-ondemand”下载on-demand模式的ISDB库,或者等待FortiGate的自动更新完成,再次查看FortiGate的ISDB库版本,可以看到FortiGate已经下载了On-Demand模式的ISDB文件。
FortiGate # diagnose autoupdate versions | grep Internet -A 6 Internet-service On-Demand Database --------- Version: 7.03216 Contract Expiry Date: n/a Last Updated using manual update on Wed May 24 17:27:11 2023 Last Update Attempt: Wed May 24 17:27:11 2023 Result: Updates Installed由于尚未将任何ISDB条目应用于防火墙策略/限速策略/SD-WAN策略,因此ISDB Summary信息中的IP范围数量和IP地址数量为空,这里以Google.Web(65537)为例。
FortiGate # diagnose internet-service id-summary 65537 Version: 00007.03216 Timestamp: 202305231647 Total number of IP ranges: 2858 Number of Groups: 1 Group(0), Singularity(90), Number of IP ranges(2858) Internet Service: 65537(Google-Web) Number of IP ranges: 0 Number of IP addresses: 0 Singularity: 0 Icon Id: 1 Direction: dst Data source: isdb Country: Region: City:将该ISDB应用于一条防火墙策略中。
config firewall policy edit 5 set name "Google-Web" set srcintf "lan" set dstintf "wan" set action accept set srcaddr "all" set internet-service enable set internet-service-name "Google-Web" set schedule "always" set nat enable next end再次查看Google.Web(65537)Summary信息,可以看到在防火墙策略引用该ISDB后,FortiGate自动从FortiGuard下载了该ISDB库。
FortiGate # diagnose internet-service id-summary 65537 Version: 00007.03216 Timestamp: 202305231647 Total number of IP ranges: 25767 Number of Groups: 2 Group(0), Singularity(90), Number of IP ranges(2858) Group(1), Singularity(6), Number of IP ranges(22909) Internet Service: 65537(Google-Web) Number of IP ranges: 22909 Number of IP addresses: 19527416 Singularity: 6 Icon Id: 1 Direction: dst Data source: isdb Country: 4 8 10 12 16 20 24 28 31 32 36 40 44 48 50 51 52 56 60 64 68 70 72 76 84 86 90 96 100 104 108 112 116 120 124 132 136 144 148 152 156 158 162 166 170 175 178 180 184 188 191 192 196 203 204 208 212 214 218 222 226 231 232 233 234 238 239 242 246 248 250 254 258 260 262 266 268 270 275 276 288 292 296 300 308 ...查看其他ISDB的Summary信息,仍然为空。
FortiGate # diagnose internet-service id-summary 1245187 Version: 00007.03216 Timestamp: 202305231647 Total number of IP ranges: 25767 Number of Groups: 2 Group(0), Singularity(90), Number of IP ranges(2858) Group(1), Singularity(6), Number of IP ranges(22909) Internet Service: 1245187(Fortinet-DNS) Number of IP ranges: 0 Number of IP addresses: 0 Singularity: 0 Icon Id: 19 Direction: dst Data source: isdb Country: Region: City: