Fortinet black logo

online help

Home FortiConverter Tool 6.0.0 online help

Alcatel-Lucent Conversion

6.0.0
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.2
6.2.1
6.2.0
6.0.3
6.0.2
6.0.1
6.0.0
Copy Link
Copy Doc ID a26371c3-75fd-11ea-9384-00505692583a:978838

Alcatel-Lucent Conversion

Alcatel-Lucent differences

Conversion support

FortiConverter supports the conversion of the following Alcatel-Lucent Brick features:

  • Interfaces
  • Host Groups
  • Service Groups
  • Zone Brick Rulesets

Fortinet plans to support the following Lucent features in a future FortiConverter release:

  • NAT
  • Schedule
  • VPN
  • Hosts Behind Zone

Address and address group configuration

  • Lucent host addresses are mapped to FortiGate addresses.
  • Lucent host groups are mapped to FortiGate address groups.
  • Virtual Brick Addresses (VBA) aren't supported.

Interface configuration

  • FortiConverter assigns default VLAN configuration directly to physical interfaces.
  • FortiConverter considers all VLANs named "*" or "Port Default" to be the default VLAN configuration.
  • Domain Addresses aren't supported.

Service and Service Group configuration

  • Lucent Service Groups are mapped to FortiGate Service Groups.
  • Lucent service "*" maps to FortiGate service "any".

Policy configuration

Lucent Brick Zone Rulesets operate at the zone level, which has no direct equivalent in FortiGate. Zone rulesets need to be translated into equivalent FortiGate policies.

FortiConverter translates Lucent Brick rules by separating traffic into two categories: inter-partition and intra-partition.

  • Inter-partition traffic behaves like inter-VDOM traffic, and is simple to convert to FortiGate policies.
  • Intra-partition traffic is more complicated to convert because multiple zone rules can be applied.

FortiConverter handles the inter-partition traffic by creating a general policy for each rule.

FortiConverter handles the intra-partition traffic by looking for all matches between two zone rulesets. FortiConverter looks at 3 fields: source, destination, and service. All 3 fields must overlap for the rules to match. FortiConverter creates a policy for each match using the intersection of each field.

The action of the rules determines the action of the converted policy, as shown in the following table:

Rule 1 Rule 2 Policy
Pass Pass Accept
Pass Drop Deny
Drop Pass Deny
Drop Drop Deny

Inter-partition Deny policies have higher priority than intra-partition policies, while inter-partition Accept policies have lower priority than intra-partition policies.

Lucent default ruleset "firewall" is currently unsupported.

VDOM configuration

  • Lucent partitions map to FortiGate VDOMs.
  • VDOM names are limited to 11 characters. FortiConverter truncates longer names to 11 characters.
  • Lucent partition "*Default" maps to the FortiGate root VDOM.

Example conversion

The following block diagram and tables illustrates a Lucent configuration with 2 partitions and 3 zones.

Zone eth0 Ruleset
Rule Num Direction Source Destination Service Action
1000 Out 192.168.1.15 172.30.10.1/24 * Drop
1001 Both 192.168.1.0/24 172.30.10.1/24 * Pass
Zone eth1 Ruleset
Rule Num Direction Source Destination Service Action
1000 In * 172.30.10.5 - 172.30.10.20 TCP Pass
1001 Both 192.168.1.132 172.30.10.9 * Pass
Zone eth2 Ruleset
Rule Num Direction Source Destination Service Action
1000 Both * 10.10.15.0/24 HTTP Pass

This Lucent configuration creates the following FortiGate configuration. Inter-partition rules are in bold.

VDOM lab-hosts Policies
Policy Num Src Interface Dst Interface Source Destination Service Action
10000 eth0 any 192.168.1.15 172.30.10.1/24 * Deny
10001 eth0 eth1 192.168.1.0/24 172.30.10.5 - 172.30.10.20 TCP Accept
10002 eth0 eth1 192.168.1.132 172.30.10.9 * Accept
10003 eth0 any 192.168.1.0/24 172.30.10.1/24 * Accept
10004 any eth0 192.168.1.0/24 172.30.10.1/24 * Accept
10005 eth1 eth0 192.168.1.132 172.30.10.9 * Accept
10006 eth1 any 192.168.1.132 172.30.10.9 * Accept
10007 any eth1 192.168.1.132 172.30.10.9 * Accept
VDOM office-hosts Policies
Policy Num Src Interface Dst Interface Source Destination Service Action
10000 any eth2 any 10.10.15.0/24 HTTP Accept
10001 eth2 any 10.10.15.0/24 any TCP Accept
Previous
Next

Alcatel-Lucent Conversion

Alcatel-Lucent differences

Conversion support

FortiConverter supports the conversion of the following Alcatel-Lucent Brick features:

  • Interfaces
  • Host Groups
  • Service Groups
  • Zone Brick Rulesets

Fortinet plans to support the following Lucent features in a future FortiConverter release:

  • NAT
  • Schedule
  • VPN
  • Hosts Behind Zone

Address and address group configuration

  • Lucent host addresses are mapped to FortiGate addresses.
  • Lucent host groups are mapped to FortiGate address groups.
  • Virtual Brick Addresses (VBA) aren't supported.

Interface configuration

  • FortiConverter assigns default VLAN configuration directly to physical interfaces.
  • FortiConverter considers all VLANs named "*" or "Port Default" to be the default VLAN configuration.
  • Domain Addresses aren't supported.

Service and Service Group configuration

  • Lucent Service Groups are mapped to FortiGate Service Groups.
  • Lucent service "*" maps to FortiGate service "any".

Policy configuration

Lucent Brick Zone Rulesets operate at the zone level, which has no direct equivalent in FortiGate. Zone rulesets need to be translated into equivalent FortiGate policies.

FortiConverter translates Lucent Brick rules by separating traffic into two categories: inter-partition and intra-partition.

  • Inter-partition traffic behaves like inter-VDOM traffic, and is simple to convert to FortiGate policies.
  • Intra-partition traffic is more complicated to convert because multiple zone rules can be applied.

FortiConverter handles the inter-partition traffic by creating a general policy for each rule.

FortiConverter handles the intra-partition traffic by looking for all matches between two zone rulesets. FortiConverter looks at 3 fields: source, destination, and service. All 3 fields must overlap for the rules to match. FortiConverter creates a policy for each match using the intersection of each field.

The action of the rules determines the action of the converted policy, as shown in the following table:

Rule 1 Rule 2 Policy
Pass Pass Accept
Pass Drop Deny
Drop Pass Deny
Drop Drop Deny

Inter-partition Deny policies have higher priority than intra-partition policies, while inter-partition Accept policies have lower priority than intra-partition policies.

Lucent default ruleset "firewall" is currently unsupported.

VDOM configuration

  • Lucent partitions map to FortiGate VDOMs.
  • VDOM names are limited to 11 characters. FortiConverter truncates longer names to 11 characters.
  • Lucent partition "*Default" maps to the FortiGate root VDOM.

Example conversion

The following block diagram and tables illustrates a Lucent configuration with 2 partitions and 3 zones.

Zone eth0 Ruleset
Rule Num Direction Source Destination Service Action
1000 Out 192.168.1.15 172.30.10.1/24 * Drop
1001 Both 192.168.1.0/24 172.30.10.1/24 * Pass
Zone eth1 Ruleset
Rule Num Direction Source Destination Service Action
1000 In * 172.30.10.5 - 172.30.10.20 TCP Pass
1001 Both 192.168.1.132 172.30.10.9 * Pass
Zone eth2 Ruleset
Rule Num Direction Source Destination Service Action
1000 Both * 10.10.15.0/24 HTTP Pass

This Lucent configuration creates the following FortiGate configuration. Inter-partition rules are in bold.

VDOM lab-hosts Policies
Policy Num Src Interface Dst Interface Source Destination Service Action
10000 eth0 any 192.168.1.15 172.30.10.1/24 * Deny
10001 eth0 eth1 192.168.1.0/24 172.30.10.5 - 172.30.10.20 TCP Accept
10002 eth0 eth1 192.168.1.132 172.30.10.9 * Accept
10003 eth0 any 192.168.1.0/24 172.30.10.1/24 * Accept
10004 any eth0 192.168.1.0/24 172.30.10.1/24 * Accept
10005 eth1 eth0 192.168.1.132 172.30.10.9 * Accept
10006 eth1 any 192.168.1.132 172.30.10.9 * Accept
10007 any eth1 192.168.1.132 172.30.10.9 * Accept
VDOM office-hosts Policies
Policy Num Src Interface Dst Interface Source Destination Service Action
10000 any eth2 any 10.10.15.0/24 HTTP Accept
10001 eth2 any 10.10.15.0/24 any TCP Accept
Previous
Next