Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Online Help

    6.2.0
    7.2.0
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.2
    6.2.1
    6.2.0
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Alcatel-Lucent Conversion

    Alcatel-Lucent Conversion

    Alcatel-Lucent differences

    Conversion support

    FortiConverter supports the conversion of the following Alcatel-Lucent Brick features:

    • Interfaces
    • Host Groups
    • Service Groups
    • Zone Brick Rulesets

    Fortinet plans to support the following Lucent features in a future FortiConverter release:

    • NAT
    • Schedule
    • VPN
    • Hosts Behind Zone

    Address and address group configuration

    • Lucent host addresses are mapped to FortiGate addresses.
    • Lucent host groups are mapped to FortiGate address groups.
    • Virtual Brick Addresses (VBA) aren't supported.

    Interface configuration

    • FortiConverter assigns default VLAN configuration directly to physical interfaces.
    • FortiConverter considers all VLANs named "*" or "Port Default" to be the default VLAN configuration.
    • Domain Addresses aren't supported.

    Service and Service Group configuration

    • Lucent Service Groups are mapped to FortiGate Service Groups.
    • Lucent service "*" maps to FortiGate service "any".

    Policy configuration

    Lucent Brick Zone Rulesets operate at the zone level, which has no direct equivalent in FortiGate. Zone rulesets need to be translated into equivalent FortiGate policies.

    FortiConverter translates Lucent Brick rules by separating traffic into two categories: inter-partition and intra-partition.

    • Inter-partition traffic behaves like inter-VDOM traffic, and is simple to convert to FortiGate policies.
    • Intra-partition traffic is more complicated to convert because multiple zone rules can be applied.

    FortiConverter handles the inter-partition traffic by creating a general policy for each rule.

    FortiConverter handles the intra-partition traffic by looking for all matches between two zone rulesets. FortiConverter looks at 3 fields: source, destination, and service. All 3 fields must overlap for the rules to match. FortiConverter creates a policy for each match using the intersection of each field.

    The action of the rules determines the action of the converted policy, as shown in the following table:

    Rule 1 Rule 2 Policy
    Pass Pass Accept
    Pass Drop Deny
    Drop Pass Deny
    Drop Drop Deny

    Inter-partition Deny policies have higher priority than intra-partition policies, while inter-partition Accept policies have lower priority than intra-partition policies.

    Lucent default ruleset "firewall" is currently unsupported.

    VDOM configuration

    • Lucent partitions map to FortiGate VDOMs.
    • VDOM names are limited to 11 characters. FortiConverter truncates longer names to 11 characters.
    • Lucent partition "*Default" maps to the FortiGate root VDOM.

    Example conversion

    The following block diagram and tables illustrates a Lucent configuration with 2 partitions and 3 zones.

    Zone eth0 Ruleset
    Rule Num Direction Source Destination Service Action
    1000 Out 192.168.1.15 172.30.10.1/24 * Drop
    1001 Both 192.168.1.0/24 172.30.10.1/24 * Pass
    Zone eth1 Ruleset
    Rule Num Direction Source Destination Service Action
    1000 In * 172.30.10.5 - 172.30.10.20 TCP Pass
    1001 Both 192.168.1.132 172.30.10.9 * Pass
    Zone eth2 Ruleset
    Rule Num Direction Source Destination Service Action
    1000 Both * 10.10.15.0/24 HTTP Pass

    This Lucent configuration creates the following FortiGate configuration. Inter-partition rules are in bold.

    VDOM lab-hosts Policies
    Policy Num Src Interface Dst Interface Source Destination Service Action
    10000 eth0 any 192.168.1.15 172.30.10.1/24 * Deny
    10001 eth0 eth1 192.168.1.0/24 172.30.10.5 - 172.30.10.20 TCP Accept
    10002 eth0 eth1 192.168.1.132 172.30.10.9 * Accept
    10003 eth0 any 192.168.1.0/24 172.30.10.1/24 * Accept
    10004 any eth0 192.168.1.0/24 172.30.10.1/24 * Accept
    10005 eth1 eth0 192.168.1.132 172.30.10.9 * Accept
    10006 eth1 any 192.168.1.132 172.30.10.9 * Accept
    10007 any eth1 192.168.1.132 172.30.10.9 * Accept
    VDOM office-hosts Policies
    Policy Num Src Interface Dst Interface Source Destination Service Action
    10000 any eth2 any 10.10.15.0/24 HTTP Accept
    10001 eth2 any 10.10.15.0/24 any TCP Accept
    Previous
    Next

    Alcatel-Lucent Conversion

    Alcatel-Lucent Conversion

    Alcatel-Lucent differences

    Conversion support

    FortiConverter supports the conversion of the following Alcatel-Lucent Brick features:

    • Interfaces
    • Host Groups
    • Service Groups
    • Zone Brick Rulesets

    Fortinet plans to support the following Lucent features in a future FortiConverter release:

    • NAT
    • Schedule
    • VPN
    • Hosts Behind Zone

    Address and address group configuration

    • Lucent host addresses are mapped to FortiGate addresses.
    • Lucent host groups are mapped to FortiGate address groups.
    • Virtual Brick Addresses (VBA) aren't supported.

    Interface configuration

    • FortiConverter assigns default VLAN configuration directly to physical interfaces.
    • FortiConverter considers all VLANs named "*" or "Port Default" to be the default VLAN configuration.
    • Domain Addresses aren't supported.

    Service and Service Group configuration

    • Lucent Service Groups are mapped to FortiGate Service Groups.
    • Lucent service "*" maps to FortiGate service "any".

    Policy configuration

    Lucent Brick Zone Rulesets operate at the zone level, which has no direct equivalent in FortiGate. Zone rulesets need to be translated into equivalent FortiGate policies.

    FortiConverter translates Lucent Brick rules by separating traffic into two categories: inter-partition and intra-partition.

    • Inter-partition traffic behaves like inter-VDOM traffic, and is simple to convert to FortiGate policies.
    • Intra-partition traffic is more complicated to convert because multiple zone rules can be applied.

    FortiConverter handles the inter-partition traffic by creating a general policy for each rule.

    FortiConverter handles the intra-partition traffic by looking for all matches between two zone rulesets. FortiConverter looks at 3 fields: source, destination, and service. All 3 fields must overlap for the rules to match. FortiConverter creates a policy for each match using the intersection of each field.

    The action of the rules determines the action of the converted policy, as shown in the following table:

    Rule 1 Rule 2 Policy
    Pass Pass Accept
    Pass Drop Deny
    Drop Pass Deny
    Drop Drop Deny

    Inter-partition Deny policies have higher priority than intra-partition policies, while inter-partition Accept policies have lower priority than intra-partition policies.

    Lucent default ruleset "firewall" is currently unsupported.

    VDOM configuration

    • Lucent partitions map to FortiGate VDOMs.
    • VDOM names are limited to 11 characters. FortiConverter truncates longer names to 11 characters.
    • Lucent partition "*Default" maps to the FortiGate root VDOM.

    Example conversion

    The following block diagram and tables illustrates a Lucent configuration with 2 partitions and 3 zones.

    Zone eth0 Ruleset
    Rule Num Direction Source Destination Service Action
    1000 Out 192.168.1.15 172.30.10.1/24 * Drop
    1001 Both 192.168.1.0/24 172.30.10.1/24 * Pass
    Zone eth1 Ruleset
    Rule Num Direction Source Destination Service Action
    1000 In * 172.30.10.5 - 172.30.10.20 TCP Pass
    1001 Both 192.168.1.132 172.30.10.9 * Pass
    Zone eth2 Ruleset
    Rule Num Direction Source Destination Service Action
    1000 Both * 10.10.15.0/24 HTTP Pass

    This Lucent configuration creates the following FortiGate configuration. Inter-partition rules are in bold.

    VDOM lab-hosts Policies
    Policy Num Src Interface Dst Interface Source Destination Service Action
    10000 eth0 any 192.168.1.15 172.30.10.1/24 * Deny
    10001 eth0 eth1 192.168.1.0/24 172.30.10.5 - 172.30.10.20 TCP Accept
    10002 eth0 eth1 192.168.1.132 172.30.10.9 * Accept
    10003 eth0 any 192.168.1.0/24 172.30.10.1/24 * Accept
    10004 any eth0 192.168.1.0/24 172.30.10.1/24 * Accept
    10005 eth1 eth0 192.168.1.132 172.30.10.9 * Accept
    10006 eth1 any 192.168.1.132 172.30.10.9 * Accept
    10007 any eth1 192.168.1.132 172.30.10.9 * Accept
    VDOM office-hosts Policies
    Policy Num Src Interface Dst Interface Source Destination Service Action
    10000 any eth2 any 10.10.15.0/24 HTTP Accept
    10001 eth2 any 10.10.15.0/24 any TCP Accept
    Previous
    Next