So I recently had to read through a few ten-thousand lines of Fortigate configs. Fun - No! But necessary. To make things a little easier and not having to do it all twice I wrote a small python script, creating a summary of the config. While not replacing a full manual assessment, it does make life easier!
The following script will turn a 12k lines Fortigate config into about 1k lines summary (depening on the exact config). Obviously, a lot of information will get lost, but it’s focused on:
- Users / Identities
- Admins
- Users
- Groups
- IPs
- Trusthosts
- VPN Endpoints
- Firewall Rules
Aim
My aim was to get the config into a slightly more human readable format and make sure I didn’t miss anything by accident. And well, for me, it worked.
The Script
import sys
import os
import re
import json
debug = False
notes = True
filename = sys.argv[1]
def parse_fortigate_backup(file_path):
config_dict = {}
current_section = config_dict
section_stack = []
with open(file_path, 'r', encoding='utf-8') as file:
for line in file:
line = line.strip()
if not line or line.startswith('#'): # Skip empty lines and comments
continue
if line.startswith('config'):
section_name = line.split('config')[-1].strip()
new_section = {}
current_section[section_name] = new_section
section_stack.append((current_section, section_name))
current_section = new_section
elif line.startswith('end'):
current_section, _ = section_stack.pop()
elif line.startswith('edit'):
entry_name = line.split('edit')[-1].strip()
current_section[entry_name] = {}
section_stack.append((current_section, entry_name))
current_section = current_section[entry_name]
elif line.startswith('next'):
current_section, _ = section_stack.pop()
else:
match = re.match(r'(set|unset)\s+(\S+)\s*(.*)', line)
if match:
action, key, value = match.groups()
if action == 'set':
current_section[key] = value
elif action == 'unset':
current_section.pop(key, None)
return config_dict
conf = parse_fortigate_backup(filename)
pretty = json.dumps(conf, indent=2)
if debug:
print(pretty)
report = ""
if notes:
report += "~~ Warning~~\n~~This tool does not replace reading through the full config file~~\n"
## Basic
report += "Basic\n"
if 'central-management' in conf:
report += " Central Management" + str(conf['central-management']) + "\n"
else:
report += " Central Management not configured\n"
report += "\n\n"
## Admin Accounts
report += "Admin Accounts\n"
if 'system admin' in conf:
if debug:
print("Fetching admin accounts")
print(conf['system admin'])
if notes:
report += "~~ Ensure that all admins are known ~~\n~~ Verify all eMail adresses are correct ~~\n~~ Change passwords of all accounts ~~\n~~ Verify all trusthosts are known ~~\n"
for x in conf['system admin']:
admin = " " + x
if 'accprofile' in conf['system admin'][x]:
admin += " using profile: " + conf['system admin'][x]['accprofile']
if 'email-to' in conf['system admin'][x]:
admin += ", email: " + conf['system admin'][x]['email-to']
if 'password' in conf['system admin'][x]:
admin += "\n Password: " + conf['system admin'][x]['password']
else:
admin += "\n Password: undefined/default account/remote account"
if 'remote-auth' in conf['system admin'][x]:
admin += "\n Remote Auth: " + conf['system admin'][x]['remote-auth']
for y in conf['system admin'][x]:
if 'trusthost' in y:
admin += "\n " + y + ": " + conf['system admin'][x][y]
admin += "\n"
report += admin
else:
report += "No admin accounts defined.\n"
report += "\n\n"
## Account Profiles
report += "Account Profiles\n"
if 'system accprofile' in conf:
if debug:
print("Fetching account profiles")
print(conf['system accprofile'])
for x in conf['system accprofile']:
profile = " " + x
profile += ": " + str(conf['system accprofile'][x])
profile += "\n"
report += profile
else:
report += "No account profiles defined!\n"
report += "\n\n"
## User Accounts
report += "Local User Accounts\n"
if 'user local' in conf:
if debug:
print("Fetching local user accounts")
print(conf['user local'])
if notes:
report += "~~ Ensure that all users are known ~~\n~~Verify all eMail adresses are correct ~~\n~~ Change passwords of all accounts ~~\n"
for x in conf['user local']:
user = " " + x
if 'passwd-time' in conf['user local'][x]:
user += ", last changed: " + conf['user local'][x]['passwd-time']
else:
user += ", last changed: undefined/default account"
if 'email-to' in conf['user local'][x]:
user += ", email address: " + conf['user local'][x]['email-to']
if 'passwd' in conf['user local'][x]:
user += "\n Pass: " + conf['user local'][x]['passwd']
user += "\n"
report += user
else:
report += "No local user accounts found!\n"
report += "\n\n"
## Remote User Accounts
report += "LDAP Servers\n"
if 'user ldap' in conf:
if debug:
print("Fetching ldap servers")
print(conf['user ldap'])
if notes:
report += "~~Verify that the auth servers are valid ~~\n~~ Change passwords of all authnticators ~~\n"
for x in conf['user ldap']:
ldap = " " + x + ": Providing authentication against " + conf['user ldap'][x]['server']
if 'port' in conf['user ldap'][x]:
ldap += "(:" + conf['user ldap'][x]['port'] + ")"
if 'username' in conf['user ldap'][x]:
ldap += " using " + conf['user ldap'][x]['username']
ldap += ". Identity checks are " + conf['user ldap'][x]['server-identity-check'] + "d"
ldap += "\n Password: " + conf['user ldap'][x]['password']
ldap += "\n"
report += ldap
else:
report += "No LDAP servers defined!\n"
report += "\n\n"
## Groups
report += "Groups\n"
if 'user group' in conf:
if debug:
print("Fetching groups")
print(conf['user group'])
if notes:
report += "~~ Ensure that users are in correct groups ~~\n"
for x in conf['user group']:
if "member" in conf['user group'][x]:
report += " " + x + ", members: " + conf['user group'][x]['member'] + "\n"
else:
report += " " + x + ", members: " + "\n"
else:
report += "No groups defined!\n"
report += "\n\n"
## Networking
report += "Networking\n"
### Interfaces
report += " Interfaces\n"
if 'system interface' in conf:
if debug:
print("Fetching Interfaces")
print(conf['system interface'])
if notes:
report += " ~~ Verify list of interfaces ~~\n ~~ Check management access settings ~~\n"
for x in conf['system interface']:
interface = " " + x + ": "
if 'type' in conf['system interface'][x]:
interface += conf['system interface'][x]['type'] + " interface"
if 'mode' in conf['system interface'][x]:
interface += " in " + conf['system interface'][x]['mode'] + " mode"
if 'ip' in conf['system interface'][x]:
interface += " with address " + conf['system interface'][x]['ip']
if 'allowaccess' in conf['system interface'][x]:
interface += "\n Allow: " + conf['system interface'][x]['allowaccess'] + ""
if notes:
if 'ssh' in conf['system interface'][x]['allowaccess'] or 'http' in conf['system interface'][x]['allowaccess'] or 'https' in conf['system interface'][x]['allowaccess']:
interface += "\n Warning: Management interface!"
report += "\n"
report += interface
else:
report += "No interfaces defined!\n"
report += "\n\n"
### Routes
report += " Routes\n"
if 'router static' in conf:
if debug:
print("Fetching Routes\n")
print(conf['router static'])
if notes:
report += " ~~ Ensure all routes are valid and necessary ~~\n"
for x in conf['router static']:
route = " " + x + ": "
if 'dst' in conf['router static'][x]:
route += "To " + conf['router static'][x]['dst']
if 'gateway' in conf['router static'][x]:
route += " via " + conf['router static'][x]['gateway']
if 'device' in conf['router static'][x]:
route += " on " + conf['router static'][x]['device']
if 'blackhole' in conf['router static'][x]:
route += "? No, blackhole redirection!"
if 'comment' in conf['router static'][x]:
route += "\n Comment: " + conf['router static'][x]['comment']
route += "\n"
report += route
else:
report += "No routes defined!\n"
report += "\n"
### DNS
report += " DNS\n"
if 'system dns' in conf:
if debug:
print("Fetching DNS\n")
print(conf['system dns'])
if notes:
report += " ~~ Ensure that servers are known and config is correct ~~\n"
if "primary" in conf['system dns']:
report += " Primary DNS: " + conf['system dns']['primary'] + "\n"
if "secondary" in conf['system dns']:
report += " Secondary DNS: " + conf['system dns']['secondary'] + "\n"
else:
report += "No DNS servers defined!\n"
report += "\n"
### NTP
report += " NTP\n"
if 'system ntp' in conf:
if debug:
print("Fetching NTP\n")
print(conf['system ntp'])
if notes:
report += " ~~ Ensure that servers are known and config is correct ~~\n"
if 'type' in conf['system ntp']:
report += " Synching from " + conf['system ntp']['type']
if 'ntpserver' in conf['system ntp']:
for y in conf['system ntp']['ntpserver']:
report += "\n " + str(y) + ": " + conf['system ntp']['ntpserver'][y]['server'] + "\n"
else:
report += "Fetching time via " + conf['system ntp']['interface'] + "\n"
else:
report += "No NTP config found!\n"
report += "\n\n"
### SNMP
report += " SNMP\n"
if 'system snmp community' in conf:
if debug:
print("Fetching SNMP\n")
print(conf['system snmp community'])
if notes:
report += " ~~ Ensure that IP addresses are known and valid ~~\n"
for x in conf['system snmp community']:
snmp = " " + x + ": "
for y in conf['system snmp community'][x]['hosts']:
snmp += conf['system snmp community'][x]['hosts'][y]['ip'] + ","
report += snmp
report += "\n"
else:
report += "No SNMP config defined!\n"
report += "\n\n"
### VPN
report += "VPN\n"
#### Phase 1
report += " VPN - Phase 1\n"
if 'vpn ipsec phase1-interface' in conf:
if debug:
print("Fetching phase1 VPN interfaces\n")
print(conf['vpn ipsec phase1-interface'])
if notes:
report += " ~~ Ensure that all profiles are known ~~\n"
for x in conf['vpn ipsec phase1-interface']:
vpn = " " + x + ": "
if 'type' in conf['vpn ipsec phase1-interface']:
vpn += "type: " + conf['vpn ipsec phase1-interface'][x]['type'] + ", "
vpn += "interface: " + conf['vpn ipsec phase1-interface'][x]['interface'] + ", algorithm: " + conf['vpn ipsec phase1-interface'][x]['proposal']
vpn += "\n psksecret: " + conf['vpn ipsec phase1-interface'][x]['psksecret']
if 'comments' in conf['vpn ipsec phase1-interface'][x]:
vpn += "\n Comments: " + str(conf['vpn ipsec phase1-interface'][x]['comments'])
vpn += "\n"
report += vpn
else:
report += "no VPN Phase 1 config found!\n"
report += "\n"
#### Phase 2
report += " VPN - Phase 2\n"
if 'vpn ipsec phase2-interface' in conf:
if debug:
print("Fetching phase2 VPN interfaces\n")
print(conf['vpn ipsec phase2-interface'])
if notes:
report += " ~~ Ensure that all profiles are known ~~\n"
for x in conf['vpn ipsec phase2-interface']:
vpn = " " + x + ": "
vpn += "phase1: " + conf['vpn ipsec phase2-interface'][x]['phase1name'] + ", algorithm: " + conf['vpn ipsec phase2-interface'][x]['proposal']
if 'comments' in conf['vpn ipsec phase2-interface'][x]:
vpn += "\n Comments: " + str(conf['vpn ipsec phase2-interface'][x]['comments'])
vpn += "\n"
report += vpn
else:
report += "no VPN Phase 2 config found!\n"
report += "\n\n"
## Firewall Rules
report += "Firewall\n\n"
report += " Rules\n"
if 'firewall policy' in conf:
if debug:
print("Fetching firewall rules\n")
print(conf['firewall policy'])
if notes:
report += " ~~ Verify that each rule is legit ~~\n"
for x in conf['firewall policy']:
rule = ' ' + str(x) + ": "
if 'status' in conf['firewall policy'][x]:
if conf['firewall policy'][x]['status'] == 'disable':
rule += "[[DISABLED]] "
if 'action' in conf['firewall policy'][x]:
rule += conf['firewall policy'][x]['action']
else:
rule += "Drop"
rule += ' for '
rule += conf['firewall policy'][x]['service']
rule += " from "
if 'srcaddr' in conf['firewall policy'][x]:
rule += conf['firewall policy'][x]['srcaddr']
if 'srcintf' in conf['firewall policy'][x]:
rule += '(' + conf['firewall policy'][x]['srcintf'] + ')'
rule += ' to '
if 'dstaddr' in conf['firewall policy'][x]:
rule += conf['firewall policy'][x]['dstaddr']
if 'dstintf' in conf['firewall policy'][x]:
rule += '(' + conf['firewall policy'][x]['dstintf'] + ')'
if 'comments' in conf['firewall policy'][x]:
rule += '\n Comment: '
rule += conf['firewall policy'][x]['comments']
rule += '\n'
report += rule
else:
report += "No firewall rules defined!\n"
report += "\n"
### Virtual IPs
report += " Virtual IPs\n"
if 'vip' in conf:
if debug:
print("Fetching Virtual IPs\n")
print(conf['vip'])
if notes:
report += " ~~ Verify that each IP is legit ~~\n"
for x in conf['vip']:
vip = " " + x + ": "
vip += "from " + conf['vip'][x]['extip']
if 'extport' in conf['vip'][x]:
vip += "(:" + conf['vip'][x]['extport'] + ")"
vip += " to " + conf['vip'][x]['mappedip']
if 'mappedport' in conf['vip'][x]:
vip += "(:" + conf['vip'][x]['mappedport'] + ")"
vip += " on " + conf['vip'][x]['extintf']
vip += " -- " + conf['vip'][x]['uuid']
vip += "\n"
report += vip
else:
report += "No VIP config found!\n"
report += "\n\n"
## Hosts and IPs
report += "Hosts & IPs\n"
if 'firewall address' in conf:
if debug:
print("Fetchings IPs and Systems\n")
print(conf['firewall address'])
fqdns = ""
ipranges = ""
rest = ""
for x in conf['firewall address']:
if 'type' in conf['firewall address'][x]:
if conf['firewall address'][x]['type'] == 'fqdn':
fqdns += " " + x + ": " + conf['firewall address'][x]['fqdn'] + " -- " + conf['firewall address'][x]['uuid'] + "\n"
if 'comment' in conf['firewall address'][x]:
fqdns += " Comment: " + conf['firewall address'][x]['comment'] + "\n"
elif conf['firewall address'][x]['type'] == 'iprange':
ipranges += " " + x + ": from " + conf['firewall address'][x]['start-ip'] + " to " + conf['firewall address'][x]['start-ip'] + " -- " + conf['firewall address'][x]['uuid'] + "\n"
if 'comment' in conf['firewall address'][x]:
ipranges += " Comment: " + conf['firewall address'][x]['comment'] + "\n"
else:
rest += " " + x + ": "
if 'subnet' in conf['firewall address'][x]:
rest += "subnet: " + conf['firewall address'][x]['subnet']
rest += " -- " + conf['firewall address'][x]['uuid'] + "\n"
if 'comment' in conf['firewall address'][x]:
rest += " Comment: " + conf['firewall address'][x]['comment'] + "\n"
report += " FQDNs\n"
if notes:
report += " ~~ Verify that each FQDN description matches the entry ~~\n ~~ Check that each entry is needed or a default entry ~~\n"
report += fqdns
report += "\n"
report += " IP Ranges\n"
if notes:
report += " ~~ Verify that each range's name matches the description ~~\n ~~ Check that each entry is needed or a default entry ~~\n"
report += ipranges
report += "\n"
report += " Rest\n"
if notes:
report += " ~~ Verify that each entry is legit ~~\n"
report += rest
else:
report += "No FQDNs or IPs defined!\n"
output = open(filename + ".summary.txt",'w')
output.write(report)
output.close()
The Output
~~ Warning~~
~~This tool does not replace reading through the full config file~~
Basic
Central Management not configured
Admin Accounts
~~ Ensure that all admins are known ~~
~~ Verify all eMail adresses are correct ~~
~~ Change passwords of all accounts ~~
~~ Verify all trusthosts are known ~~
"admin" using profile: "super_admin"
Password: undefined/default account/remote account
"tester155" using profile: "super_admin", email: "test155@security-bits.de"
Password: ENC AK1taeT3g38kwS5+Wxs6lp9EeH9y9ea1doXbKzdxzzz230=
trusthost1: 192.168.1.0 255.255.255.0
trusthost2: 192.168.5.0 255.255.255.0
"tester156" using profile: "super_admin"
Password: ENC AK1VXVjkMWLIyj8RfyvPe0PfqM/e2oIWqTUYVfH3W8xluI=
Account Profiles
"prof_admin": {'mntgrp': 'read-write', 'admingrp': 'read-write', 'updategrp': 'read-write', 'authgrp': 'read-write', 'sysgrp': 'read-write', 'netgrp': 'read-write', 'loggrp': 'read-write', 'routegrp': 'read-write', 'fwgrp': 'read-write', 'vpngrp': 'read-write', 'utmgrp': 'read-write', 'endpoint-control-grp': 'read-write', 'wifi': 'read-write'}
"test_admin": {'mntgrp': 'read', 'admingrp': 'read', 'updategrp': 'read', 'authgrp': 'read-write', 'loggrp': 'custom', 'routegrp': 'read', 'fwgrp': 'custom', 'vpngrp': 'read-write', 'utmgrp': 'custom', 'endpoint-control-grp': 'read-write', 'fwgrp-permission': {'policy': 'read-write', 'address': 'read', 'service': 'read-write', 'schedule': 'read-write', 'packet-capture': 'read-write', 'others': 'read-write'}, 'loggrp-permission': {'config': 'read-write', 'data-access': 'read', 'report-access': 'read-write'}, 'utmgrp-permission': {'antivirus': 'read-write', 'ips': 'read', 'webfilter': 'read-write', 'spamfilter': 'read-write', 'data-loss-prevention': 'read', 'application-control': 'read', 'icap': 'read-write', 'voip': 'read-write'}}
Local User Accounts
~~ Ensure that all users are known ~~
~~Verify all eMail adresses are correct ~~
~~ Change passwords of all accounts ~~
"guest", last changed: undefined/default account
Pass: ENC vBX4f+TuHQboTgTC15j1U8RT9FShCoSSgPGM+5e/eBJDcWeHRbLibEaB3pug1RLeLmoX/2YK+sRCUbmtxudmjqHAuzGT2Sj6OKBmxziqXfuH7pulHckYECzMG6rJkYL6xsx29jnkbLMRDyieqrcueUmcvhTqNVWx6qSOjzqUhOQlGhR1/5vGXqkWFH/yh3IxjnglBQ==
"tester150", last changed: 2025-03-23 22:16:39
Pass: ENC KEJGRV3u8asFXibzFK3xEzUv/9x6k6NKgv5erQ/xqSteski2hixxBJNS4qSqO+L69v7W+s0m5AkhxBjEkY0Q77FcOidL2daGXQBK67TCzkbYvr8euVCVsd4dddM5jbVIWxz6uBqXJgu50fss8C2Zd3p8hp7AUkjh8iDNTMLv5/J1La3qt6AAo45kdAjXrGcWEPMWkw==
"tester152", last changed: 2025-03-25 11:57:48, email address: "test@security-bits.de"
Pass: ENC ifzuZr+g67M7/nlMYlyHBT7RHAp0Pga0C2UFykmrPmSRxUR8UqJMySqjfcWz1wln8A7WcLdVJcbdChS3niRm1iA1a1kQ8KaKkDaYx6wenKZTC4e2lMrwfcTcnusFFZy3819AJH6uij4UHI+Lf3d4v2TSlbXMj3u6c1iLA2Ue6BO7Oj4ChPrqndSJzjBJ9GFfayZrKw==
LDAP Servers
No LDAP servers defined!
Groups
~~ Ensure that users are in correct groups ~~
"SSO_Guest_Users", members:
"Guest-group", members: "guest" "tester152"
Networking
Interfaces
~~ Verify list of interfaces ~~
~~ Check management access settings ~~
"wan1": physical interface in dhcp mode
Allow: ping fgfm auto-ipsec
"wan2": physical interface with address 192.168.254.5 255.255.255.0
Allow: ping fgfm auto-ipsec
"modem": physical interface in pppoe mode
"ssl.root": tunnel interface
"internal": physical interface in dhcp mode
Allow: ping https ssh snmp http fgfm capwap
Warning: Management interface!
"test": tunnel interface
Routes
~~ Ensure all routes are valid and necessary ~~
1: To 192.168.254.12 255.255.255.255 via 192.168.254.15 on "wan1"
Comment: "test"
DNS
~~ Ensure that servers are known and config is correct ~~
Primary DNS: 208.91.112.53
Secondary DNS: 208.91.112.52
NTP
~~ Ensure that servers are known and config is correct ~~
Synching from custom
1: "192.168.130.120"
SNMP
No SNMP config defined!
VPN
VPN - Phase 1
~~ Ensure that all profiles are known ~~
"test": interface: "wan1", algorithm: aes256-md5 3des-sha1 aes192-sha1
psksecret: ENC vw0aXS/1rd+nDlm3LIQGT9J51tRKjmnnNkiDleHfbzVlxnCT2acyeDACivgzyqXNauwaoXgqgggH5MdQUcM/BVbFBBJqF2Xk+tluc4QFCLtmWBiqnV0AsNi7t4q9oWxLcv1QkwlE9uNACFHBOhuVxW6lAl4C9HMrgWK6A0m+Q7Bu/6DGfRF0Bp0jc0Cdp1hde1Ry2A==
Comments: "VPN: test (Created by VPN wizard)"
VPN - Phase 2
~~ Ensure that all profiles are known ~~
"test": phase1: "test", algorithm: aes256-md5 3des-sha1 aes192-sha1
Comments: "VPN: test (Created by VPN wizard)"
Firewall
Rules
~~ Verify that each rule is legit ~~
1: accept for "ALL" from "all"("internal") to "all"("wan1")
2: accept for "L2TP" from "all"("test") to "all"("wan1")
Comment: "VPN: test (Created by VPN wizard)"
3: accept for "ALL" from "test_range"("test") to "all"("wan1")
Comment: "VPN: test (Created by VPN wizard)"
4: accept for "FTP_GET" from "appstore"("internal") to "citrix"("wan1")
Virtual IPs
No VIP config found!
Hosts & IPs
FQDNs
~~ Verify that each FQDN description matches the entry ~~
~~ Check that each entry is needed or a default entry ~~
"apple": "*.apple.com" -- 3dac518c-fb5b-51ee-dcb3-e84a9427f563
"dropbox.com": "*.dropbox.com" -- 3daca448-fb5b-51ee-2922-91e118a3ef17
"Gotomeeting": "*.gotomeeting.com" -- 3dacf150-fb5b-51ee-790f-9891837fb688
"icloud": "*.icloud.com" -- 3dad3fca-fb5b-51ee-ed20-d8b3754c5615
"itunes": "*itunes.apple.com" -- 3dad8d0e-fb5b-51ee-f3ed-146c944201ed
"android": "*.android.com" -- 3dadda2a-fb5b-51ee-9d3d-284f7919557f
"skype": "*.messenger.live.com" -- 3dae26d8-fb5b-51ee-d116-32a966c3081f
"swscan.apple.com": "swscan.apple.com" -- 3dae72e6-fb5b-51ee-142f-28a2d68236f4
"update.microsoft.com": "update.microsoft.com" -- 3daec16a-fb5b-51ee-14bb-2e81971f40ed
"appstore": "*.appstore.com" -- 3daf0eea-fb5b-51ee-87da-a22e2775865b
"eease": "*.eease.com" -- 3daf5c38-fb5b-51ee-3f9c-a4c8eeb908f8
"google-drive": "*drive.google.com" -- 3dafa99a-fb5b-51ee-6764-242bdbadabeb
"google-play": "play.google.com" -- 3daff4ae-fb5b-51ee-a472-cb214cef899e
"google-play2": "*.ggpht.com" -- 3db042ba-fb5b-51ee-191f-b558d5c61418
"google-play3": "*.books.google.com" -- 3db09080-fb5b-51ee-3864-6ef72b6dad87
"microsoft": "*.microsoft.com" -- 3db0f9d0-fb5b-51ee-ac92-342a51dc46bd
"adobe": "*.adobe.com" -- 3db14c8c-fb5b-51ee-4e42-786abab5b1c1
"Adobe Login": "*.adobelogin.com" -- 3db19930-fb5b-51ee-460f-cc3075319bc8
"fortinet": "*.fortinet.com" -- 3db1e7c8-fb5b-51ee-d785-b93945fa7b9f
"googleapis.com": "*.googleapis.com" -- 3db235f2-fb5b-51ee-1615-39e9f1393140
"citrix": "*.citrixonline.com" -- 3db283b8-fb5b-51ee-a991-7a60afde1986
"verisign": "*.verisign.com" -- 3db2d174-fb5b-51ee-0f8a-674177aacb05
"Windows update 2": "*.windowsupdate.com" -- 3db31d8c-fb5b-51ee-26e6-9591b714ef09
"*.live.com": "*.live.com" -- 3db36c2e-fb5b-51ee-9594-e8515172a1f6
"auth.gfx.ms": "auth.gfx.ms" -- 3db3b9fe-fb5b-51ee-ab2b-d040ac07035d
"autoupdate.opera.com": "autoupdate.opera.com" -- 3db40864-fb5b-51ee-a1e3-d0f8b08fe038
"softwareupdate.vmware.com": "softwareupdate.vmware.com" -- 3db456de-fb5b-51ee-114c-37512e67b1c5
"firefox update server": "aus*.mozilla.org" -- 3db4a350-fb5b-51ee-28e8-b1fecafca8fc
"security-bits.de fqdn": "security-bits.de" -- 74279038-0ae0-51f0-7434-05bc7926c9f1
IP Ranges
~~ Verify that each range's name matches the description ~~
~~ Check that each entry is needed or a default entry ~~
"SSLVPN_TUNNEL_ADDR1": from 10.212.134.200 to 10.212.134.200 -- 3efdc1ce-fb5b-51ee-dd69-a6a3ad107e8a
"test_range": from 192.168.105.10 to 192.168.105.10 -- dd17076e-0981-51f0-6cc6-7a11076c566f
Comment: "VPN: test (Created by VPN wizard)"
Rest
~~ Verify that each entry is legit ~~
"all": -- 3ef98d16-fb5b-51ee-cb4a-521c90519cdd
"none": subnet: 0.0.0.0 255.255.255.255 -- 3dabf386-fb5b-51ee-2876-146b18da34b0
"security-bits.de ip": subnet: 142.142.204.146 255.255.255.255 -- 8e0b1d4e-0ae0-51f0-98cb-d20c12ab9f2c
Comment: "comment"