- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-22-2022 03:03 AM
Hi
A Fortigate firewall uses Fortinet 'Internet Services' objects. There are many of them, they are predefined and some of them contain several tens of thousands of IP addresses (Amazon-AWS object, for example currently contains 75114 objects, there are various objects for Microsoft services, Adobe services, etc).
Expedition tool converts those multiple (destination) objects as 'all', therefore creating an 'allow all' rule (from the defined source to all objects in the destination zone (Internet) allowing all services and with all applications.
This does not seem right because it essentially nullifies all other, tight, rules from the source address.
Is there any way to avoid this and create tight rules for these services?
12-30-2022 11:36 AM - edited 12-30-2022 12:00 PM
Hello @${userLoginName}
In Palo Alto there is no such thing as an internet service database.
It has for Microsoft services example EDL that you can generate for this.
https://docs.paloaltonetworks.com/resources/edl-hosting-service
EDLs are dynamic lists containing the IP URL domains of certain Microsoft 365, Azure, AWS, Salesforce, GCP services for example provided by Palo Alto but you can also generate your own.
Here although it sounds like a bit more effort, I recommend the following:
That you identify in Fortinet those policies with Internet Service Database and rule by rule, filter in fortinet the destinations either URLs, IPs, domains, subdomains, and based on that information that you collect you close the any rules in Palo Alto, only with the destinations that you need and thus avoid those any.
Cheers
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!