By default all Fortinet FortiGates are in Profile-based NGFW mode. There is nothing wrong with the default mode. However, I personally prefer policy mode more. Profile mode works like most firewalls like SonicWall, pfSense and UniFi for example. All your rules are based on ports. Policy mode works like Palo Alto Networks firewalls. All your…
The default setup of a Fortinet FortiGate is Profile mode. Here’s step-by-step how to change a FortiGate from Profile Mode to Policy Mode. Due to the significant change between the two mode you will need to rebuild all your rules. Notes The Process
In this post I will detail how to resolve the Palo Alto commit error when trying to commit a predefined IP list. Below is an example of the error Validation Error:external-list -> Palo Alto Networks Tor exit IP Addresses -> type -> predefined-ip -> url ‘panw-torexit-ip-list’ is not a valid referenceexternal-list -> Palo Alto Networks…
Palo Alto has some great documentation about how to do basically everything. Sometimes it’s a bit buried. This is my short and long cheat sheets for upgrading a Palo Alto Networks firewall in an Active/Passive High Availability Pair. Quick Cheat Sheet Long Cheat Sheet Upgrade path and sanity checks For my example FW01 is the…
I have been playing around with Policy mode on the FortiGate and an issue that I’ve ran into a few times is if you have something hosted internally that also needs to be accessed externally it doesn’t work internally when you use the external address, for example a reverse proxy. In my setup I use…
Something that’s annoyed me with FortiGates is that viewing the deny logs isn’t super straight forward. Part of the issue is the fact that Fortinet disables the deny log by default and if you don’t know where to look for it you might not figure it out by clicking around. Fortinet says that they have…
