Fortinet Migration - Internet Services Database objects conversion to Palo Alto

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Fortinet Migration - Internet Services Database objects conversion to Palo Alto

Hi

A Fortigate firewall uses Fortinet 'Internet Services' objects. There are many of them, they are predefined and some of them contain several tens of thousands of IP addresses (Amazon-AWS object, for example currently contains 75114 objects, there are various objects for Microsoft services, Adobe services, etc).

Expedition tool converts those multiple (destination) objects as 'all', therefore creating an 'allow all' rule (from the defined source to all objects in the destination zone (Internet) allowing all services and with all applications.
This does not seem right because it essentially nullifies all other, tight, rules from the source address.
Is there any way to avoid this and create tight rules for these services?

1 REPLY 1

L4 Transporter

Hello @${userLoginName} 

 

In Palo Alto there is no such thing as an internet service database.

It has for Microsoft services example EDL that you can generate for this.
https://docs.paloaltonetworks.com/resources/edl-hosting-service

EDLs are dynamic lists containing the IP URL domains of certain Microsoft 365, Azure, AWS, Salesforce, GCP services for example provided by Palo Alto but you can also generate your own.

 

Here although it sounds like a bit more effort, I recommend the following:

 

That you identify in Fortinet those policies with Internet Service Database and rule by rule, filter in fortinet the destinations either URLs, IPs, domains, subdomains, and based on that information that you collect you close the any rules in Palo Alto, only with the destinations that you need and thus avoid those any.

 

Cheers

High Sticker
  • 3040 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!