WH ITE PAP ER

Migrating to a FortiGate Firewall

FORTINET – MIGRATING TO A FORTIGATE FIREWALL PAGE 2

Introduction
There is often a reluctance to change firewall vendors due to the perception that the migration process is difficult. Indeed,
there is no point hiding the fact that moving to a new vendor requires careful consideration. But concern over the potential
pain of migration should not stand in the way of adopting new security technologies. The purpose of this document is to
describe the best practices for performing such migrations, the benefits a migration process can achieve, and ultimately to
ease the migration process itself.
When faced with migrating to a new firewall vendor, the person who signs off the security budget may consider simply
renewing the existing solution the safer route (from a career perspective). The drawback of such a decision is being stuck
with a vendor who has a lack of vision and has failed to innovate to stay abreast of changes to the networking environment
and threat landscape. Whether it is a lack of new features in the hardware (such as line-rate firewall throughput or very low
latency) or software (such as application control, data loss prevention and WAN optimization), staying with a legacy firewall
has its costs. These costs include increased deployment and configuration challenges, management difficulties, and the
need to complement the solution with additional point products.
The additional functionality and performance a FortiGate solution provides is a strong driver to justify the migration effort. Its
per-device pricing means that you will be able to additional functionality, such as antivirus/antispyware, application control,
web filtering, intrusion prevention, antispam, WAN optimization, or IPSec and SSL VPN, at a similar or lower renewal cost to
your existing firewall-only vendor.

Firewall Migration Drivers

Many organizations have found themselves with several costly and difficult to manage point security solutions due to an
ongoing reactive response to security issues. The additional cost and management overhead of these solutions and a
worldwide tightening of IT budgets has created an ideal opportunity for an end-to-end reconsideration of security
architecture and spend. Many organizations are moving to Fortinet in order to:
• Consolidate multiple security functions without compromising functionality
• Reduce total cost of ownership (TCO)
• Achieve compliance with security standards (PCI, SOX, etc.)
• Improve performance
• Increase visibility of the network, users and applications

The task of changing your firewall to a Fortinet integrated, multi-threat security platform may initially seem a difficult one.
However, the cost-reduction benefits alone achieved by the migration will quickly outweigh the effort needed.
Capital cost reduction
Deploying a defense-in-depth security strategy using stand-alone technologies requires you to invest in additional
devices any time you wish to add a new layer of protection. Eliminating multiple security devices by adopting a
consolidated approach to network and content security enables you to add functionality without adding capital
expenses.
However, consolidation of security functions onto a single appliance can be a risk unless the solution supports high
availability and includes hardware acceleration. Only hardware acceleration delivers the necessary increase in
performance to justify a significant reduction in hardware costs. Adding a single high availability unit increases
resilience and availability during the consolidation process (as opposed to adding several redundant units with
standalone security deployments).
Operating cost reduction
A consolidated architecture such as FortiGate allows the management of multiple security functions from a single
management interface and centralizes logging and reporting. This reduces the number of products an administrator
needs to learn and monitor.
The benefits of consolidation and hardware acceleration for the data center are often overlooked when calculating the
ROI for such a migration. Consolidating multiple security technologies onto a single appliance results in significant
FORTINET – MIGRATING TO A FORTIGATE FIREWALL PAGE 3

reductions in rack space, power, and cooling requirements. Reducing the amount of space and power consumed is of
critical importance in any data enter.
Fortinet can take the consolidation one further step by consolidating multiple devices into a single appliance via the use
of Virtual Domains (VDOMs). FortiGate VDOM technology allows multiple logical firewalls to be run on a single physical
device, reducing the firewall footprint even further.

Feature Rich Security

The features and benefits of a FortiGate solution are described in detail at www.fortinet.com, but Figure 1 below shows the
wide range of security and networking technologies that are integrated into the FortiGate platform:

Figure 1: FortiGate Real-Time Protection

When considering a Fortinet solution, you may currently have requirements for only one or two of the features described
above. However, there may be an opportunity at a later date to consolidate additional functionality (or add security services
not currently provided with your existing infrastructure) in order to realize additional cost savings. The Fortinet solution is
infinitely flexible; the remaining features are available at any time should you need to switch them on to help resolve an
immediate need, increasing the future ROI significantly.

Threat evolution
Security is a dynamic industry and new threats are developing and evolving constantly. The best defense against such a
dynamic threat is a dynamic threat prevention system. Consider the botnet, the scourge of the security industry and source
of most spam and denial of service attacks. Fortinet protect against such activity via multiple layers of complimentary
security:
• Antivirus: Prevents infections that lead to the install of the botnet software
• Antispam: Prevents the resulting spam from the botnets (primary source of spam)
• Application Control: Detects and blocks botnet activity on the network
• Intrusion Prevention: Prevents dial home, propagation activity and known exploits
• Web Filtering: Blocks access to known malware and drive-by download sites
The FortiGate solution, together with the FortiAnalyzer logging and reporting system provides deep visibility into the security
and activity on network. Together these facilities can be used to enable compliance with key standard such as PCI, SOX,
and Data Protection. As the standards have evolved, so too have Fortinet solutions to provide deeper visibility and greater
reporting capabilities to help adhere to these standards.
FORTINET – MIGRATING TO A FORTIGATE FIREWALL PAGE 4

Documentation and Training

One of the biggest hurdles faced in migrating from your existing firewall vendor will be the loss of knowledge built up over
time with your current vendor. Unfortunately this will often be the wrong type of experience, gained by many hours of
debugging issues and scouring the internet for help. Fortinet is different from most vendors, and rather than hide
information away behind logins requiring support contracts, much of our information is freely available to help convince you
that the migration task is not as daunting as it may have first appeared.
Product Documentation
Fortinet release all product documentation via http://docs.fortinet.com/ . This site includes the product manuals and
release notes as well as other documents, including those listed below. These change with each release and are aimed
at making configuration of the device and the individual features as simple as possible.
• What’s New Guide
• Quick start Guide
• VPN (IPSec and SSL) install Guides
• Authentication Guide
• WAN Optimization and Caching Guide
Knowledge Base
For the more technical questions and tips and tricks there is the Fortinet Knowledge Base http://kb.fortinet.com/. This is
a system maintained by the Fortinet Support TAC and contains details of the most common issues and how to resolve
them and information such as interoperability guides (how to VPN to a Cisco PIX).
There is also a link to the FortiTips site, containing short videos describing everything from how to cable the FortiGate,
how to configure the external interface and how to back the system up through to the more complicated configuration of
the IPS and using Identity Based Policies.
Training
Fortinet offer many levels of product training for the varying levels of requirements. There are the simple FortiTips
described above as well as a host of free self-paced training videos to be found on the Fortinet Campus
(http://campus.training.fortinet.com/) These include more detailed courses such as FortiGate 101, Introduction to
Cryptography and IPSec Debugging. They are free of charge and can be accessed at your leisure.
Should you have a requirement for more formal, complete, classroom style training, there are several courses and
exams which can be sat to achieve your FCNSA and FCNSP qualifications. These courses are run both in house and
via our Authorized Training Centers across the globe, details of which can be found via
http://campus.training.fortinet.com/.
FORTINET – MIGRATING TO A FORTIGATE FIREWALL PAGE 5

Planning for a Successful Firewall Migration

The success to any project, particularly firewall migration is planning. A common methodology used in such projects is the
Plan Do Check Act cycle 1, illustrated by Figure 2. It is an iterative cycle so multiple passes can be made:

Plan Audit network

Review the existing policy
Develop test plan
Do Migrate the policy to the new hardware
Check Validate the policy
Act Make necessary changes following validation

Figure 2 - Plan Do Check Act Cycle.

Plan Schedule migration dates and test windows Image Source Karn G. Bulsuk
(http://karnbulsuk.blogspot.com )
Develop migration and test plan
Develop acceptance test
Do Go live
Check Test and validate
Perform acceptance testing
Act Make necessary changes following testing and validation

Following such a structured methodology is useful to minimize disruption to the network users and reduce risk. Some of the
common steps in this cycle are described in more detail below.

Information Gathering
It is always a good idea to perform a full network audit prior to any migration. This should include:
• Full back up of all security systems (including switches, routers) in case a back-out needs to be performed.
• Physical and logical network diagram with visual audit
Understanding exactly where cables run in the network and verifying they are all correctly labeled is essential to avoid
mistakes and unnecessary downtime during the upgrade. Don’t overlook simple things such as:
• Do I have enough spare interfaces on my switches?
• Do I have the right fiber (single/multi mode) and right connectors (LC, FC, MTRJ, SC, ST)?
• Do I have spare cables? (in the heat of the moment, it is simple mistake to break an RJ-45 connector or damage
a fiber)
• Do I have space in the rack for the new equipment?
• Do I have enough power sockets?
No matter how securely a FortiGate is configured in the network, it cannot help if it has been bypassed; visually
checking where the device sits in the network in relation to other devices will ensure you are maintaining security and
verify the network diagram is ‘as built’. Details of all networks including subnet masks should be documented at this
point to ensure that the replacement device is configured with the correct information.

1 http://en.wikipedia.org/wiki/PDCA
FORTINET – MIGRATING TO A FORTIGATE FIREWALL PAGE 6

Configuration Analysis
Given the fact that you are going to the effort to migrate the firewall policy, it would be pointless to migrate it verbatim. It
is a perfect time to verify that the policy adheres to the corporate standard and that temporary rules have not been
accidentally left in place and additional permissions given to users are not being misused. Over time, the live
configuration tends to creep away from the security policy so check the existing firewall rules and functions to see what
is out of conformance and needs removing, what is superfluous, and what needs to be added.
FortiGate firewalls support transparent user based authentication with Active Directory so you can remove all of those
static IP addresses that have been created for individual users and move to a more dynamic, location independent
method of filtering to reduce the risk of incorrectly applied policy.

Object and Policy Migration

Whilst we have suggested some level of manual review is included in the policy migration, it can be useful to be able to
automatically migrate simply between another vendor’s format and the FortiGate format. The FortiGate policy format is
text based and can easily be cut and pasted into from other vendor formats however, responding to the high customer
demand to migrate away from other vendors, Fortinet have released an automatic configuration migration tool at
https://convert.fortinet.com/ to simplify this process. Supporting Cisco ACLs, PIX, ASA, Check Point and Juniper, the
Converter can securely upload and convert the policy into the Fortinet format.

Figure 3: FortiConverter - Firewall policy migration tool

Testing and Validation

This is an important process and should be tested offline first wherever possible i.e. configure the policy in the lab or on
a test network and verify that the required access permissions are being implemented. To really test the solution out,
the FortiGate can be implemented on the live network with a different gateway IP and the selected user pointed to the
new gateway. This allows a staged approach to migrating the new platform into the network ensuring that the process
does not interrupt day to day operations.
FORTINET – MIGRATING TO A FORTIGATE FIREWALL PAGE 7

Go live and feedback

If testing and validation is successful at this point, you can migrate to the new firewall either by switching IP's and
removing the old devices or by changing the default gateway in DHCP. Once the firewall is in place, acceptance testing
will of course need to be carried out and an iterative process of tuning undertaken to finalize the configuration.

Adding new services

The Fortinet solution will have a plethora of additional features compared to your previous vendor and it is very tempting
to start switching them on but it is a good idea to wait and validate the new firewall as was previously configured before
adding new functions as this simplifies testing and problem diagnosis. Finally complete the migration (don’t’ forget
about the Plan Do Check Act Cycle) by adding any new services that were requested and learn about the multiple
features you have available with the FortiGate appliance.

Conclusion
Migrating firewall vendors is a daunting task which some rely on to maintain their customer base. Knowing this, Fortinet
have provided a complete toolset to aid the migration to Fortinet, from free self paced training to rule set conversion utilities.
The Fortinet solution is so feature rich that migrating away from your existing vendor makes both technical and commercial
sense, and with careful planning and help along the way from Fortinet, it needn’t prevent you from making the leap. Trade-
in incentive programs are available from Fortinet to further help the process so contact your Fortinet account manager today
to see just how much you can benefit from a Fortinet solution.

WP-FW-UPGRADE-R1-201008