This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Fortinet Migration - Internet Services Database objects conversion to Palo Alto

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Fortinet Migration - Internet Services Database objects conversion to Palo Alto

Gordan
L0 Member

‎12-22-2022 03:03 AM

Hi

A Fortigate firewall uses Fortinet 'Internet Services' objects. There are many of them, they are predefined and some of them contain several tens of thousands of IP addresses (Amazon-AWS object, for example currently contains 75114 objects, there are various objects for Microsoft services, Adobe services, etc).

Expedition tool converts those multiple (destination) objects as 'all', therefore creating an 'allow all' rule (from the defined source to all objects in the destination zone (Internet) allowing all services and with all applications.
This does not seem right because it essentially nullifies all other, tight, rules from the source address.
Is there any way to avoid this and create tight rules for these services?

0 Likes Likes
1 REPLY 1

Metgatz
L4 Transporter

‎12-30-2022 11:36 AM - edited ‎12-30-2022 12:00 PM

Hello @Gordan 

 

In Palo Alto there is no such thing as an internet service database.

It has for Microsoft services example EDL that you can generate for this.
https://docs.paloaltonetworks.com/resources/edl-hosting-service

EDLs are dynamic lists containing the IP URL domains of certain Microsoft 365, Azure, AWS, Salesforce, GCP services for example provided by Palo Alto but you can also generate your own.

 

Here although it sounds like a bit more effort, I recommend the following:

 

That you identify in Fortinet those policies with Internet Service Database and rule by rule, filter in fortinet the destinations either URLs, IPs, domains, subdomains, and based on that information that you collect you close the any rules in Palo Alto, only with the destinations that you need and thus avoid those any.

 

Cheers

High Sticker
0 Likes Likes
  • 1877 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks