Fortinet white logo
Fortinet white logo

Online Help

Cisco Start options

Cisco Start options

This table lists the start settings.

Setting Description
Profile
Description Enter a description of the configuration.
Output Options
Output Format Select the appropriate output format for your FortiGate device.
FOS Version The configuration syntax is slightly different among FortiOS 6.4, 7.0, 7.2, and 7.4. Select the version that corresponds to the FortiOS version on the target.
Input
Security Context Conversion Enable this option to convert configurations with multiple security contexts.
Source Configuration Select the input file or files. This option only appears if Security Context Conversion is disabled.
System Configuration Select the system configuration file. This file should include interfaces and config file names for each security context. This option only appears if Security Context Conversion is enabled.

Bulk Conversion

If there are many devices to be converted where all of them are the same model, sharing the same interface mapping relationship in conversion, then bulk conversion can convert all of them at once. Collect all the configuration files to be converted, compress them into a ZIP file and use the ZIP file as the input.

Context Configuration(.zip) Select the .zip file containing all the config files. The file name for each context should match the name given in the system configuration file. This option only appears if Security Context Conversion is enabled. Please see example below in Cisco Start options.
Route File (Optional) Select a route file that FortiConverter uses to determine the interfaces used in output policies, in addition to routes it detects in the source configuration. Because Cisco devices apply access-lists to source interfaces, FortiConverter can determine the source interfaces for output policies, but not the destination interfaces. When you specify a route file, FortiConverter uses the information in the file to determine the destination interface.

Target device(Optional)

Target device

Select the model of the target device, or select a device connected to FortiConverter.

Conversion Options
Discard unreferenced firewall objects

Specifies whether addresses, schedules, and services that aren't referenced by a policy are saved and added to the output. This option can be useful if your target device has table size limitations. You can view the unreferenced objects that FortiConverter removed on the Tuning page.

Increase Address and Service Table Sizes for High-End Models You can customize the maximum table sizes that FortiConverter uses when Increase Address and Service Table Sizes for High-End Models is selected. For more information, see Adjusting table sizes
Automatically generate policy interfaces Specifies whether FortiConverter automatically generates policy interfaces.
Route-based IPSec Specifies whether Route-based IPSec is used for this conversion.

Suppress auto grouped items from Cisco ASDM/CSM

When an ACL contains multiple objects in its source address, destination address or service field, Cisco ASDM and CSM may automatically group them in to a group object because Cisco ASA only allows single object in each field. This option expands the grouped objects after conversion.

Combine expanded multi-object policies

When an ACL contains multiple objects in its source address, destination address or service field, Cisco CSM may expand the ACL into equivalent multiple ACLs because Cisco ASA only allows single object in each field. This option combines those ACLs into the original one automatically.

Combine policies generated by NAT merge

FortiConverter may generate multiple NAT policies after merging NAT rules into ACLs. This option combines and simplifies the output policies.

Split Address group From VPN Phase2 selector

If the remote side of VPN is not a FortiGate but a device of other vendor, setting an address group in the VPN phase2 quick selector does not work. When this option is enabled, a VPN phase2 object with an address group in the selector would be split into multiple objects with subnet or a range in selector.

Add default "accept all" rules from high to low security level interfaces

In Cisco firewalls, traffic from high security level interfaces to lower security level interfaces is allowed by default. Enable this option to create rules to allow this kind of traffic when no access list is specified.

Policy index start from 1 instead of 10000

When selected, the serial number of firewall policies will start from 1 instead of 10000.

NGFW policy-based mode

When selected, the conversion will be in NGFW policy-based mode.

"firewall policy" will become "firewall security-policy" instead, and "set application 00000" will be generated in policies, which requires manual processing. There will also be some other minor differences adapted for the NGFW policy-based CLI.

Collect unreferenced access lists

FortiConverter typically converts those Cisco access lists which are referenced by access groups into firewall policies. However, sometimes access lists are configured on the authentication server side and would not have explicit reference in the config file, so they would not be converted. After enabling this option, FortiConverter would collect those access lists which are not reference by any part of the config, and list them in the context selection page. Users can select those access lists and convert them into firewall policies.

Enable send-deny-packet for resetoutside

When this option is enabled and config line "service resetoutside" is present in the config file, the policies with "deny" will have "send-deny-packet" enabled.

Generate SNAT when mapped IP linked to multiple external IPs in VIP rules

When same mapped IP is repeating in multiple VIP rules, but the external IP used in those rules are different. If "set nat-source-vip enable" has been added in those rules. After enabling this option, FortiConverter would create SNAT rules from those VIP rules and remove "set nat-source-vip enable".

Comment Options
Address comment Specifies whether FortiConverter copies the address comment from the source configuration to the converted FortiGate address.
Interface comment Specifies whether FortiConverter copies the interface comment from the source configuration to the converted FortiGate address.
Service comment Specifies whether FortiConverter copies the service comment from the source configuration to the converted FortiGate address.

Policy comment - Add policy package name and rule number

Specifies whether FortiConverter includes the input configuration lines used for each FortiGate policy in the FortiGate configuration as a policy comment.

Policy comment - Preserve the original comment

Include the original comment in source file in the comment of the output policy.

NAT Merge Options
Ignore firewall policies with all or any addresses when processing NAT rules

Specifies whether FortiConverter ignores firewall policies with an "all" or "any" address when it merges a NAT rule and a firewall policy to create a FortiGate NAT policy.

FortiConverter creates new policies in the output configuration based on where NAT rules to firewall policies intersect. Because firewall policies that use "all" or "any" as the address create many intersections, Fortinet recommends that you ignore them.

Enable central NAT merge Specifies whether FortiConverter converts NATs to FortiConverter central NATs instead of policy-based NATs.

Convert Static NATs into VIP/Central NAT pairs

When this option is enabled, a static NAT rule would be converted into a central SNAT rule and an unidirectional VIP object. Otherwise it would be converted into a bidirectional VIP object

NAT Merge Depth
Mode Specify the source version number. This option is available only when Model is ASA.
NAT exemption

Specifies which types of NAT FortiConverter merges with the output firewall policies, or whether FortiConverter performs NAT merge based on object names or values.

  • Object Name MatchFortiConverter performs NAT merge based on matching address names in firewall policies and NAT rules.
  • Object Content OverlapFortiConverter performs NAT merge based on matching address values in firewall policies and NAT rules. It generates the most accurate matching of NAT rules and policies, but in most cases, it also generates more NAT policies.

Because it can take FortiConverter several hours to complete a conversion that include a large number of NAT rules, Fortinet recommends that you turn off or limit NAT merge for your initial conversion. Then, resolve any issues with the conversion before you run it again with NAT merge enabled. For more information, including sample matches, see NAT merge options.

Dynamic NAT
Static NAT
Dynamic ACL NAT
Static ACL NAT

Object Dynamic NAT

Object Static NAT

Twice Dynamic NAT

Twice Static NAT

Static ACL NAT

Cisco Start options

Cisco Start options

This table lists the start settings.

Setting Description
Profile
Description Enter a description of the configuration.
Output Options
Output Format Select the appropriate output format for your FortiGate device.
FOS Version The configuration syntax is slightly different among FortiOS 6.4, 7.0, 7.2, and 7.4. Select the version that corresponds to the FortiOS version on the target.
Input
Security Context Conversion Enable this option to convert configurations with multiple security contexts.
Source Configuration Select the input file or files. This option only appears if Security Context Conversion is disabled.
System Configuration Select the system configuration file. This file should include interfaces and config file names for each security context. This option only appears if Security Context Conversion is enabled.

Bulk Conversion

If there are many devices to be converted where all of them are the same model, sharing the same interface mapping relationship in conversion, then bulk conversion can convert all of them at once. Collect all the configuration files to be converted, compress them into a ZIP file and use the ZIP file as the input.

Context Configuration(.zip) Select the .zip file containing all the config files. The file name for each context should match the name given in the system configuration file. This option only appears if Security Context Conversion is enabled. Please see example below in Cisco Start options.
Route File (Optional) Select a route file that FortiConverter uses to determine the interfaces used in output policies, in addition to routes it detects in the source configuration. Because Cisco devices apply access-lists to source interfaces, FortiConverter can determine the source interfaces for output policies, but not the destination interfaces. When you specify a route file, FortiConverter uses the information in the file to determine the destination interface.

Target device(Optional)

Target device

Select the model of the target device, or select a device connected to FortiConverter.

Conversion Options
Discard unreferenced firewall objects

Specifies whether addresses, schedules, and services that aren't referenced by a policy are saved and added to the output. This option can be useful if your target device has table size limitations. You can view the unreferenced objects that FortiConverter removed on the Tuning page.

Increase Address and Service Table Sizes for High-End Models You can customize the maximum table sizes that FortiConverter uses when Increase Address and Service Table Sizes for High-End Models is selected. For more information, see Adjusting table sizes
Automatically generate policy interfaces Specifies whether FortiConverter automatically generates policy interfaces.
Route-based IPSec Specifies whether Route-based IPSec is used for this conversion.

Suppress auto grouped items from Cisco ASDM/CSM

When an ACL contains multiple objects in its source address, destination address or service field, Cisco ASDM and CSM may automatically group them in to a group object because Cisco ASA only allows single object in each field. This option expands the grouped objects after conversion.

Combine expanded multi-object policies

When an ACL contains multiple objects in its source address, destination address or service field, Cisco CSM may expand the ACL into equivalent multiple ACLs because Cisco ASA only allows single object in each field. This option combines those ACLs into the original one automatically.

Combine policies generated by NAT merge

FortiConverter may generate multiple NAT policies after merging NAT rules into ACLs. This option combines and simplifies the output policies.

Split Address group From VPN Phase2 selector

If the remote side of VPN is not a FortiGate but a device of other vendor, setting an address group in the VPN phase2 quick selector does not work. When this option is enabled, a VPN phase2 object with an address group in the selector would be split into multiple objects with subnet or a range in selector.

Add default "accept all" rules from high to low security level interfaces

In Cisco firewalls, traffic from high security level interfaces to lower security level interfaces is allowed by default. Enable this option to create rules to allow this kind of traffic when no access list is specified.

Policy index start from 1 instead of 10000

When selected, the serial number of firewall policies will start from 1 instead of 10000.

NGFW policy-based mode

When selected, the conversion will be in NGFW policy-based mode.

"firewall policy" will become "firewall security-policy" instead, and "set application 00000" will be generated in policies, which requires manual processing. There will also be some other minor differences adapted for the NGFW policy-based CLI.

Collect unreferenced access lists

FortiConverter typically converts those Cisco access lists which are referenced by access groups into firewall policies. However, sometimes access lists are configured on the authentication server side and would not have explicit reference in the config file, so they would not be converted. After enabling this option, FortiConverter would collect those access lists which are not reference by any part of the config, and list them in the context selection page. Users can select those access lists and convert them into firewall policies.

Enable send-deny-packet for resetoutside

When this option is enabled and config line "service resetoutside" is present in the config file, the policies with "deny" will have "send-deny-packet" enabled.

Generate SNAT when mapped IP linked to multiple external IPs in VIP rules

When same mapped IP is repeating in multiple VIP rules, but the external IP used in those rules are different. If "set nat-source-vip enable" has been added in those rules. After enabling this option, FortiConverter would create SNAT rules from those VIP rules and remove "set nat-source-vip enable".

Comment Options
Address comment Specifies whether FortiConverter copies the address comment from the source configuration to the converted FortiGate address.
Interface comment Specifies whether FortiConverter copies the interface comment from the source configuration to the converted FortiGate address.
Service comment Specifies whether FortiConverter copies the service comment from the source configuration to the converted FortiGate address.

Policy comment - Add policy package name and rule number

Specifies whether FortiConverter includes the input configuration lines used for each FortiGate policy in the FortiGate configuration as a policy comment.

Policy comment - Preserve the original comment

Include the original comment in source file in the comment of the output policy.

NAT Merge Options
Ignore firewall policies with all or any addresses when processing NAT rules

Specifies whether FortiConverter ignores firewall policies with an "all" or "any" address when it merges a NAT rule and a firewall policy to create a FortiGate NAT policy.

FortiConverter creates new policies in the output configuration based on where NAT rules to firewall policies intersect. Because firewall policies that use "all" or "any" as the address create many intersections, Fortinet recommends that you ignore them.

Enable central NAT merge Specifies whether FortiConverter converts NATs to FortiConverter central NATs instead of policy-based NATs.

Convert Static NATs into VIP/Central NAT pairs

When this option is enabled, a static NAT rule would be converted into a central SNAT rule and an unidirectional VIP object. Otherwise it would be converted into a bidirectional VIP object

NAT Merge Depth
Mode Specify the source version number. This option is available only when Model is ASA.
NAT exemption

Specifies which types of NAT FortiConverter merges with the output firewall policies, or whether FortiConverter performs NAT merge based on object names or values.

  • Object Name MatchFortiConverter performs NAT merge based on matching address names in firewall policies and NAT rules.
  • Object Content OverlapFortiConverter performs NAT merge based on matching address values in firewall policies and NAT rules. It generates the most accurate matching of NAT rules and policies, but in most cases, it also generates more NAT policies.

Because it can take FortiConverter several hours to complete a conversion that include a large number of NAT rules, Fortinet recommends that you turn off or limit NAT merge for your initial conversion. Then, resolve any issues with the conversion before you run it again with NAT merge enabled. For more information, including sample matches, see NAT merge options.

Dynamic NAT
Static NAT
Dynamic ACL NAT
Static ACL NAT

Object Dynamic NAT

Object Static NAT

Twice Dynamic NAT

Twice Static NAT

Static ACL NAT