How to transfer a FortiGate configuration to a newer model

During the lifecycle of firewalls, they are often replaced with a newer model, but you would like to keep the configuration. In this case, there are several possibilities, which we present in this blog post:

1. FortiConverter Service
2. FortiConverter Tool
3. Partial Config Transfer
4. Full Config Transfer

Den deutschen Artikel dazu finden Sie hier: So übertragen Sie eine FortiGate Konfiguration auf ein neueres Modell

«How to transfer a FortiGate configuration to a newer model» weiterlesen

So übertragen Sie eine FortiGate Konfiguration auf ein neueres Modell

Im Laufe des Lebenszyklus von Firewalls werden diese oftmals ersetzt mit einem neueren Modell, die Konfiguration möchte man aber gerne übernehmen. Für diesen Fall gibt es verschiedene Möglichkeiten, die wir in diesem Blog Beitrag vorstellen:

1. FortiConverter Service
2. FortiConverter Tool
3. Partielle Konfigübernahme
4. Volle Konfigübernahme

English article can be found here: How to transfer a FortiGate configuration to a newer model

«So übertragen Sie eine FortiGate Konfiguration auf ein neueres Modell» weiterlesen

Netzwerk Subnettierung

Öfters sehen wir Fragen oder Probleme zur korrekten Subnettierung von Netzen. Mit dem folgenden Raster kann man schnell und einfach die richtige Anzahl Host oder die Subnetzmaske herausfinden.

Die erste Adresse des Subnetz nennt man Netzadresse. Diese kann nicht für Hosts verwendet werden (Bsp. bei einem Subnetz von oder /24)

Ebenso die letzte Adresse des Subnetz. Diese ist die Broadcast Adresse und steht Clients nicht zur Verfügung (Bsp. bei einem Subnetz von oder /24)

Die verbleibenden IP Adressen können von Hosts genutzt werden (Anzahl Hosts in der Tabelle, also 256-2= 254 bei einem Subnetz von oder /24)

Bekommt man nun zum Beispiel die Angabe, dass ein Provider Subnetz 6 nutzbare IP Adressen hat, entspricht dies in der Tabelle einer Subnetzmaske von oder /29. Die nutzbaren IP Adressen sind dann zum Beispiel bis Die .24 ist die Netzadresse, die .31 die Broadcast Adresse. Meistens ist es dann so, dass der Router selber die .25 bekommt, die Firewall die .26. Die weiteren nutzbaren Adressen sind dann .27 bis .30.

Palo Alto Firewall Feature: Block Tor Exit nodes with an External Dynamic List (EDL)

With the possibility to include external lists from third parties via the feature «External Dynamic List EDL», this opens up many possibilities to restrict your own security policies even better and to prevent access to the TOR network.

In the following tutorial I will show you how to configure the list of TOR exit nodes, which can be found at as a list of IP addresses.

1. Create External Dynamic IP List

First, create a new EDL.
Objects > External Dynamic Lists > Add

The list of TOR Exit Nodes and further information can be found here:

Blog Article:
Source URL List:

As type you should choose the «IP List» selection. This assumes a list with one IP per line. If you look at the provided IP list, this is the case:

2. Download the CA Certificate from the website as .pem format.

Since the list is provided via HTTPS and therefore signed with a certificate, the Palo Alto Firewall must trust the CA certificate which signed the server certificate. This is solved via the import of the CA certificate into the firewall.

Please use your browser capabilities to display and download the CA certificate.

3. Add the CA certificate to firewall’s the certificate list

After you have downloaded the CA certificate, you can upload it to the firewall’s certificate store.

Device > Certificate Management > Certificates > Add

4. Create a certificate profile and add the Tor_CA certificate

Now that the certificate has been uploaded to the firewall’s certificate store, it can be used in a certificate profile.

5. Add certificate profile in EDL list

Now the certificate profile with the CA certificate can be used in the configuration of the EDL list.

Also note the update frequency of the list, if the list contains new values. The new entries are added automatically with the update, and a Commit is not necessary.

6. Add EDL in Security Policy

Now everything is prepared and the EDL list can be inserted in the security policy as source or destination address object.

It makes sense to use a security policy with the action Block at the beginning of your security policies.

Policies > Security > Add

7. Commit changes

Save the changes so that they become active.

8. Verify if EDL list contains entries

After the initial synchronization of the list, you can check its content as follows.

Objects > External Dynamic Lists > Edit Tor Exit nodes > List Entries and Exceptions
Check if list contains entries:

Performance Best Practices for Kaspersky Endpoint Security for Windows

Here you can find some recommendations how to configure protection in Kaspersky Endpoint Security for Windows and reduce the impact on the system. The original document written by Evgeniya Kirikova from Kasperksy can be downloaded here.

General recommendations

  1. Use the latest versions of Kaspersky Endpoint Security for Windows, as they contain the latest fixes and improvements, including performance related.
  2. We recommend you to use all protection components with default settings. They provide the optimal balance between protection level and performance recommended by our experts.
  3. Check KES for Windows policy and make sure that general performance settings are enabled (KES policy –> General –> Application settings):
«Performance Best Practices for Kaspersky Endpoint Security for Windows» weiterlesen

WatchGuard new Knowledge Base Articles November 2020

Each month WatchGuard publishes numerous new articles and known issues to the WatchGuard Knowledge Base. Here is the new content published in November:


Firebox Cloud supports accelerated networking in Azure

Known Issues

IKEv2 profile import fails on macOS Big Sur 11.0.1
DHCPv6 server restarts repeatedly when DHCP reservation exists
Hotspot custom logo does not load in Fireware v12.6.2
Cannot edit SD-WAN actions after you change the names of multiple external VLAN interfaces
Application Control category actions not applied correctly on 12.5.x Firebox fully managed by Management Server 12.6.x
Upgrading from Dimension 2.1.2 to Dimension 2.1.2 Update 4 fails due to lack of free disk space
Application Control category action changes to Drop after upgrade to Fireware v12.6.2
Interfaces with fixed link speeds change to 10 Mbps Half Duplex after upgrade from Fireware v12.5.4 to v12.6.2
Files load slowly through an HTTPS-proxy when content inspection is enabled with Application Control or IPS
AP125 and AP325 reboot after kernel panic message
Mobile VPN with SSL client not supported on Windows devices with ARM processors

WatchGuard announces Dark Web Scan Feature

WatchGuard announced in the last days a new feature called Dark Web Scan. The feature is hosted in the WatchGuard cloud. With this new tool, you can perform searches based on email addresses and domain names to see which accounts have been exposed on the dark web during known data breaches.

Here are some screenshots from my test:

You can find the Dark Web Scan in your WatchGuard Cloud account under Administration –> Dark Web Scan
«WatchGuard announces Dark Web Scan Feature» weiterlesen

WatchGuard Fireware Features pro Version

Sicherlich haben Sie sich schon gefragt, wann welches Feature in welchem Fireware Release eingeführt wurde. Da sich dies nur mühsam per Release Notes oder Dokumentation rausfinden lässt, hat WatchGuard für ihre Features einen KB Artikel mit einer Feature Liste pro Version erstellt:

New Firebox features by Fireware version

Menlo Security Prevents Zero-Day Threat on Internet Explorer

The still-active Zero-Day Exploit threatens the frequently vulnerable JavaScript Engine

Customers of Menlo Security using Internet Explorer (IE) are protected against a recent and still-active zero-day exploit using Internet Explorer, as outlined by Microsoft’s security update CVE-2020-1380.

The remote code execution vulnerability allows an attacker to take advantage of how the engine handles memory and to force corruption.

«Menlo Security Prevents Zero-Day Threat on Internet Explorer» weiterlesen