https://live.paloaltonetworks.com/t5/expedition-discussions/fortinet-migration-internet-services-database-objects-conversion/m-p/525545#M4321 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/138808">@Gordan</a>&nbsp;</P> <P>&nbsp;</P> <P>In Palo Alto there is no such thing as an internet service database.</P> <P>It has for Microsoft services example EDL that you can generate for this.<BR /><A href="https://docs.paloaltonetworks.com/resources/edl-hosting-service" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/resources/edl-hosting-service</A></P> <P>EDLs are dynamic lists containing the IP URL domains of certain Microsoft 365, Azure, AWS, Salesforce, GCP services for example provided by Palo Alto but you can also generate your own.</P> <P>&nbsp;</P> <P>Here although it sounds like a bit more effort, I recommend the following:</P> <P>&nbsp;</P> <P>That you identify in Fortinet those policies with Internet Service Database and rule by rule, filter in fortinet the destinations either URLs, IPs, domains, subdomains, and based on that information that you collect you close the any rules in Palo Alto, only with the destinations that you need and thus avoid those any.</P> <P>&nbsp;</P> <P>Cheers</P> Fri, 30 Dec 2022 20:00:30 GMT Metgatz 2022-12-30T20:00:30Z https://live.paloaltonetworks.com/t5/expedition-discussions/fortinet-migration-internet-services-database-objects-conversion/m-p/524849#M4315 <P>Hi</P> <P>A Fortigate firewall uses Fortinet 'Internet Services' objects. There are many of them, they are predefined and some of them contain several tens of thousands of IP addresses (Amazon-AWS object, for example currently contains 75114 objects, there are various objects for Microsoft services, Adobe services, etc).</P> <P>Expedition tool converts those multiple (destination) objects as 'all', therefore creating an 'allow all' rule (from the defined source to all objects in the destination zone (Internet) allowing all services and with all applications.<BR />This does not seem right because it essentially nullifies all other, tight, rules from the source address.<BR />Is there any way to avoid this and create tight rules for these services?<BR /><BR /></P> Thu, 22 Dec 2022 11:03:16 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/fortinet-migration-internet-services-database-objects-conversion/m-p/524849#M4315 Gordan 2022-12-22T11:03:16Z https://live.paloaltonetworks.com/t5/expedition-discussions/fortinet-migration-internet-services-database-objects-conversion/m-p/525545#M4321 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/138808">@Gordan</a>&nbsp;</P> <P>&nbsp;</P> <P>In Palo Alto there is no such thing as an internet service database.</P> <P>It has for Microsoft services example EDL that you can generate for this.<BR /><A href="https://docs.paloaltonetworks.com/resources/edl-hosting-service" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/resources/edl-hosting-service</A></P> <P>EDLs are dynamic lists containing the IP URL domains of certain Microsoft 365, Azure, AWS, Salesforce, GCP services for example provided by Palo Alto but you can also generate your own.</P> <P>&nbsp;</P> <P>Here although it sounds like a bit more effort, I recommend the following:</P> <P>&nbsp;</P> <P>That you identify in Fortinet those policies with Internet Service Database and rule by rule, filter in fortinet the destinations either URLs, IPs, domains, subdomains, and based on that information that you collect you close the any rules in Palo Alto, only with the destinations that you need and thus avoid those any.</P> <P>&nbsp;</P> <P>Cheers</P> Fri, 30 Dec 2022 20:00:30 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/fortinet-migration-internet-services-database-objects-conversion/m-p/525545#M4321 Metgatz 2022-12-30T20:00:30Z