Item: FortiConverter
Rating: 10
Author: Shahab Razak

Use Cases and Deployment Scope

FortiConverter is being used for all firewall migrations to FortiGate from legacy platforms. FortiConverter enables a smooth staged migration with minimal to no outages during the cutover windows. We have used it to migrate all Cisco ASA firewalls (virtual and physical) to FortiGate appliances. FortiConverter allows us to properly audit the existing rules and ensure that we do not migrate obsolete, zero hit, and nested or shadow rules to the new platform.

Pros and Cons

Audit existing rulesets from CheckPoint, Cisco, Juniper and other platforms
Build migration rulesets to FortiGate
Stages migration before actual cutover
Reduces or eliminates obsolete and shadow rules
Simple logic

Programming or scripting skills are not needed but highly recommended
Requires excellent command of REGEX
Interface Mapping from complex topologies requires a deep understanding of FortiGate interface capabilities and scripting

Most Important Features

Multi-platform migration support to FortiGate
Easy to use interface for simple topologies
Support migration to multiple VDOMs (virtual FortiGate FWs)
Advance routing support (e.g. Policy-based routing, BGP, etc.)
Enterprise centralized management
Easy to script changes

Return on Investment

Streamlined migrations successful on the first try
Simple and fast cutover maintenance window
Audit and tune existing rule base
Quickly identify shadow rules
Quickly identify rules with elevated access

Alternatives Considered

Palo Alto Networks Next-Generation Firewalls - PA Series, Cisco Firepower 4100 Series and Tufin Orchestration Suite

FortiConverter is the easiest of the firewall migration tools to use compared to Checkpoint SmartMove, Cisco Firewall Migration Tool, FWMIG, etc. It has a more robust user interface and allows you to customize the rule imports as needed. Rulebase analysis, hit count, NAT, and dynamic routing are presented in an easy to understand format with FortiConverter.

Key Insights

Do you think FortiConverter delivers good value for the price?

Yes

Are you happy with FortiConverter's feature set?

Yes

Did FortiConverter live up to sales and marketing promises?

Yes

Did implementation of FortiConverter go as expected?

Yes

Would you buy FortiConverter again?

Yes

Other Software Used

Palo Alto Networks Next-Generation Firewalls - PA Series, Cisco ASA

Likelihood to Recommend

Unless you are rebuilding rules from scratch, FortiConverter is a must-have when migrating legacy rulesets from competing platforms such as Cisco ASA, CheckPoint, Juniper, etc. to FortiGate Appliances. Without FortiConverter, guaranteed there will be some flows you missed and you will be troubleshooting them during your cutover maintenance window. Utilizing FortiConverter, you will minimize such issues as cutover time because you have the ability to stage the new ruleset in advance. Complex topologies and multi-platform migrations require highly skilled consultation from experts that [have] done this several times before.

Users and Roles

5 - Network Engineers on the Firewall Migration Team utilize the FortiConverter tool to migrate legacy rulebase on competitor platforms to the FortiGate platform. Existing rules are imported and analyzed in FortiConverter, tuned, then migrated to the FortiGate platform. This reduces the risk of errors and allows for a smooth and fast cutover.

Support Headcount Required

5 - A DevOps skillset is recommended to operate FortiConverter as scripting and code writing skills will help tremendously when converting rules from a legacy platform such as CheckPoint, Cisco ASA, Juniper, etc. to the FortiGate platform. An expert level knowledge of REGEX is also highly recommended.

Business Processes Supported

Firewall migration to FortiGate platform
Staging firewall migrations
Analyzing existing ruleset
Identifying and removing shadow rules
Consolidating rules

Innovative Uses

Firewall rule consolidation
Identifying shadow rules
Tuning existing rule sets

Future Planned Uses

When upgrading to higher powered appliances
Cloning firewalls in the cloud
Migrating physical firewalls to the cloud

Likelihood to Renew

FortiConverter is currently the best option to assist in migrating legacy firewalls to FortiGate firewalls. FortiConverter is flexible enough to be the single tool to use when migrating Check Point, Cisco ASA, Juniper and other platforms to FortiGate Firewalls. FortiConverter is not a multi-user software however it is easy for multiple engineers to work on a single or multiple migration projects.

Products Replaced

Key Differentiators

Product Features
Product Usability

FortiConverter is provided by the firewall vendor we are migrating to, FortiGate and for this reason it was the best alternative to manual processes, building from scratch. FortiConverter was built for the platform we are migrating to and therefore contained the features and capabilities tested in the field. FortiNet also provided full support for the FortiConverter software.

Evaluation Lessons Learned

Our approach was to migrate context by context, vdom by vdom in a singular fashion. The network topology allowed us to do this on a firewall by firewall basis and stage and test the migration using FortiConverter prior to the maintenance window. This allowed for a very streamlined swing over of physical interfaces and IP addresses. This left lots of room for testing all the applications on the new platform within a regular maintenance window.

FortiConverter - Best Choice

Overall Satisfaction with FortiConverter