Fortinet black logo

Online Help

7.0.2
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.2
6.2.1
6.2.0
6.0.3
6.0.2
6.0.1
6.0.0

Cisco Conversions

Cisco Conversions

Cisco differences

General

  • FortiGate’s set allowaccess command for interfaces doesn't exist on Cisco firewalls. Because FortiGate requires this setting, FortiConverter enables all services for interfaces by default.
  • The postfix "_conflict" used for services prevents a service and a service group from having the same name. It is recommended that you rename these objects.
  • On Cisco IPSec VPNs, Phase 1 (ISAKMP) supports more than two types of authentication methods. FortiGate supports only two types: pre-share and rsa-sig. Therefore, you must assign methods for each VPN connection. The wizard converts Cisco EZVPN configuration to FortiGate VPN policies with the srcintf "<tunnel-interface-name>" (i.e. phase1-interface object name) and dstintf "any".
  • FortiConverter doesn't support the following Cisco configuration elements:
  • Wild card netmasks for access-list and object- group objects

Cisco FTD support

Cisco FTD (Firepower Threat Defense) has two modules and maintain policies on both modules:

  1. LINA (layer 4 only)
  2. SNORT (layer 7 inspection)

FortiConverter tool can only support FTD's LINA component but not SNORT IPS engine rules.

NAT support

Software Supported NAT types

PIX

FWSM

ASA (8.2 and earlier)

Dynamic NAT (NAT exemption, policy dynamic NAT, regular)

Static NAT (Static NAT, Static PAT, Identity Static NAT)
ASA (8.3 and later)

Object NAT (Dynamic, Static)

Twice NAT

IOS

Dynamic NAT

Static NAT

FTD (LINA)

Object NAT(Dynamic, Static)

Twice NAT

FortiConverter doesn't support the following NAT features:

  • Double NAT, Identity NAT, and NAT Exemption

To reduce the number of NAT polices a conversion generates, FortiConverter doesn't convert Static NAT rules in which the source and mapped IPs are the same.

Previous
Next

Cisco Conversions

Cisco differences

General

  • FortiGate’s set allowaccess command for interfaces doesn't exist on Cisco firewalls. Because FortiGate requires this setting, FortiConverter enables all services for interfaces by default.
  • The postfix "_conflict" used for services prevents a service and a service group from having the same name. It is recommended that you rename these objects.
  • On Cisco IPSec VPNs, Phase 1 (ISAKMP) supports more than two types of authentication methods. FortiGate supports only two types: pre-share and rsa-sig. Therefore, you must assign methods for each VPN connection. The wizard converts Cisco EZVPN configuration to FortiGate VPN policies with the srcintf "<tunnel-interface-name>" (i.e. phase1-interface object name) and dstintf "any".
  • FortiConverter doesn't support the following Cisco configuration elements:
  • Wild card netmasks for access-list and object- group objects

Cisco FTD support

Cisco FTD (Firepower Threat Defense) has two modules and maintain policies on both modules:

  1. LINA (layer 4 only)
  2. SNORT (layer 7 inspection)

FortiConverter tool can only support FTD's LINA component but not SNORT IPS engine rules.

NAT support

Software Supported NAT types

PIX

FWSM

ASA (8.2 and earlier)

Dynamic NAT (NAT exemption, policy dynamic NAT, regular)

Static NAT (Static NAT, Static PAT, Identity Static NAT)
ASA (8.3 and later)

Object NAT (Dynamic, Static)

Twice NAT

IOS

Dynamic NAT

Static NAT

FTD (LINA)

Object NAT(Dynamic, Static)

Twice NAT

FortiConverter doesn't support the following NAT features:

  • Double NAT, Identity NAT, and NAT Exemption

To reduce the number of NAT polices a conversion generates, FortiConverter doesn't convert Static NAT rules in which the source and mapped IPs are the same.

Previous
Next