Académique Documents
Professionnel Documents
Culture Documents
Introduction
There is often a reluctance to change firewall vendors due to the perception that the migration process is difficult. Indeed,
there is no point hiding the fact that moving to a new vendor requires careful consideration. But concern over the potential
pain of migration should not stand in the way of adopting new security technologies. The purpose of this document is to
describe the best practices for performing such migrations, the benefits a migration process can achieve, and ultimately to
ease the migration process itself.
When faced with migrating to a new firewall vendor, the person who signs off the security budget may consider simply
renewing the existing solution the safer route (from a career perspective). The drawback of such a decision is being stuck
with a vendor who has a lack of vision and has failed to innovate to stay abreast of changes to the networking environment
and threat landscape. Whether it is a lack of new features in the hardware (such as line-rate firewall throughput or very low
latency) or software (such as application control, data loss prevention and WAN optimization), staying with a legacy firewall
has its costs. These costs include increased deployment and configuration challenges, management difficulties, and the
need to complement the solution with additional point products.
The additional functionality and performance a FortiGate solution provides is a strong driver to justify the migration effort. Its
per-device pricing means that you will be able to additional functionality, such as antivirus/antispyware, application control,
web filtering, intrusion prevention, antispam, WAN optimization, or IPSec and SSL VPN, at a similar or lower renewal cost to
your existing firewall-only vendor.
The task of changing your firewall to a Fortinet integrated, multi-threat security platform may initially seem a difficult one.
However, the cost-reduction benefits alone achieved by the migration will quickly outweigh the effort needed.
Capital cost reduction
Deploying a defense-in-depth security strategy using stand-alone technologies requires you to invest in additional
devices any time you wish to add a new layer of protection. Eliminating multiple security devices by adopting a
consolidated approach to network and content security enables you to add functionality without adding capital
expenses.
However, consolidation of security functions onto a single appliance can be a risk unless the solution supports high
availability and includes hardware acceleration. Only hardware acceleration delivers the necessary increase in
performance to justify a significant reduction in hardware costs. Adding a single high availability unit increases
resilience and availability during the consolidation process (as opposed to adding several redundant units with
standalone security deployments).
Operating cost reduction
A consolidated architecture such as FortiGate allows the management of multiple security functions from a single
management interface and centralizes logging and reporting. This reduces the number of products an administrator
needs to learn and monitor.
The benefits of consolidation and hardware acceleration for the data center are often overlooked when calculating the
ROI for such a migration. Consolidating multiple security technologies onto a single appliance results in significant
FORTINET – MIGRATING TO A FORTIGATE FIREWALL PAGE 3
reductions in rack space, power, and cooling requirements. Reducing the amount of space and power consumed is of
critical importance in any data enter.
Fortinet can take the consolidation one further step by consolidating multiple devices into a single appliance via the use
of Virtual Domains (VDOMs). FortiGate VDOM technology allows multiple logical firewalls to be run on a single physical
device, reducing the firewall footprint even further.
When considering a Fortinet solution, you may currently have requirements for only one or two of the features described
above. However, there may be an opportunity at a later date to consolidate additional functionality (or add security services
not currently provided with your existing infrastructure) in order to realize additional cost savings. The Fortinet solution is
infinitely flexible; the remaining features are available at any time should you need to switch them on to help resolve an
immediate need, increasing the future ROI significantly.
Threat evolution
Security is a dynamic industry and new threats are developing and evolving constantly. The best defense against such a
dynamic threat is a dynamic threat prevention system. Consider the botnet, the scourge of the security industry and source
of most spam and denial of service attacks. Fortinet protect against such activity via multiple layers of complimentary
security:
• Antivirus: Prevents infections that lead to the install of the botnet software
• Antispam: Prevents the resulting spam from the botnets (primary source of spam)
• Application Control: Detects and blocks botnet activity on the network
• Intrusion Prevention: Prevents dial home, propagation activity and known exploits
• Web Filtering: Blocks access to known malware and drive-by download sites
The FortiGate solution, together with the FortiAnalyzer logging and reporting system provides deep visibility into the security
and activity on network. Together these facilities can be used to enable compliance with key standard such as PCI, SOX,
and Data Protection. As the standards have evolved, so too have Fortinet solutions to provide deeper visibility and greater
reporting capabilities to help adhere to these standards.
FORTINET – MIGRATING TO A FORTIGATE FIREWALL PAGE 4
Following such a structured methodology is useful to minimize disruption to the network users and reduce risk. Some of the
common steps in this cycle are described in more detail below.
Information Gathering
It is always a good idea to perform a full network audit prior to any migration. This should include:
• Full back up of all security systems (including switches, routers) in case a back-out needs to be performed.
• Physical and logical network diagram with visual audit
Understanding exactly where cables run in the network and verifying they are all correctly labeled is essential to avoid
mistakes and unnecessary downtime during the upgrade. Don’t overlook simple things such as:
• Do I have enough spare interfaces on my switches?
• Do I have the right fiber (single/multi mode) and right connectors (LC, FC, MTRJ, SC, ST)?
• Do I have spare cables? (in the heat of the moment, it is simple mistake to break an RJ-45 connector or damage
a fiber)
• Do I have space in the rack for the new equipment?
• Do I have enough power sockets?
No matter how securely a FortiGate is configured in the network, it cannot help if it has been bypassed; visually
checking where the device sits in the network in relation to other devices will ensure you are maintaining security and
verify the network diagram is ‘as built’. Details of all networks including subnet masks should be documented at this
point to ensure that the replacement device is configured with the correct information.
1 http://en.wikipedia.org/wiki/PDCA
FORTINET – MIGRATING TO A FORTIGATE FIREWALL PAGE 6
Configuration Analysis
Given the fact that you are going to the effort to migrate the firewall policy, it would be pointless to migrate it verbatim. It
is a perfect time to verify that the policy adheres to the corporate standard and that temporary rules have not been
accidentally left in place and additional permissions given to users are not being misused. Over time, the live
configuration tends to creep away from the security policy so check the existing firewall rules and functions to see what
is out of conformance and needs removing, what is superfluous, and what needs to be added.
FortiGate firewalls support transparent user based authentication with Active Directory so you can remove all of those
static IP addresses that have been created for individual users and move to a more dynamic, location independent
method of filtering to reduce the risk of incorrectly applied policy.
Conclusion
Migrating firewall vendors is a daunting task which some rely on to maintain their customer base. Knowing this, Fortinet
have provided a complete toolset to aid the migration to Fortinet, from free self paced training to rule set conversion utilities.
The Fortinet solution is so feature rich that migrating away from your existing vendor makes both technical and commercial
sense, and with careful planning and help along the way from Fortinet, it needn’t prevent you from making the leap. Trade-
in incentive programs are available from Fortinet to further help the process so contact your Fortinet account manager today
to see just how much you can benefit from a Fortinet solution.
WP-FW-UPGRADE-R1-201008