If there are many devices to be converted where all of them are the same model, sharing the same interface mapping relationship in conversion, then bulk conversion can convert all of them at once. Collect all the configuration files to be converted, compress them into a ZIP file and use the ZIP file as the input.

Select the model of the target device, or select a device connected to FortiConverter.

Specifies whether addresses, schedules, and services that aren't referenced by a policy are saved and added to the output. This option can be useful if your target device has table size limitations. You can view the unreferenced objects that FortiConverter removed on the Tuning page.

When an ACL contains multiple objects in its source address, destination address or service field, Cisco ASDM and CSM may automatically group them in to a group object because Cisco ASA only allows single object in each field. This option expands the grouped objects after conversion.

When an ACL contains multiple objects in its source address, destination address or service field, Cisco CSM may expand the ACL into equivalent multiple ACLs because Cisco ASA only allows single object in each field. This option combines those ACLs into the original one automatically.

FortiConverter may generate multiple NAT policies after merging NAT rules into ACLs. This option combines and simplifies the output policies.

If the remote side of VPN is not a FortiGate but a device of other vendor, setting an address group in the VPN phase2 quick selector does not work. When this option is enabled, a VPN phase2 object with an address group in the selector would be split into multiple objects with subnet or a range in selector.

In Cisco firewalls, traffic from high security level interfaces to lower security level interfaces is allowed by default. Enable this option to create rules to allow this kind of traffic when no access list is specified.

When selected, the serial number of firewall policies will start from 1 instead of 10000.

When selected, the conversion will be in NGFW policy-based mode.

"firewall policy" will become "firewall security-policy" instead, and "set application 00000" will be generated in policies, which requires manual processing. There will also be some other minor differences adapted for the NGFW policy-based CLI.

FortiConverter typically converts those Cisco access lists which are referenced by access groups into firewall policies. However, sometimes access lists are configured on the authentication server side and would not have explicit reference in the config file, so they would not be converted. After enabling this option, FortiConverter would collect those access lists which are not reference by any part of the config, and list them in the context selection page. Users can select those access lists and convert them into firewall policies.

When this option is enabled and config line "service resetoutside" is present in the config file, the policies with "deny" will have "send-deny-packet" enabled.

When same mapped IP is repeating in multiple VIP rules, but the external IP used in those rules are different. If "set nat-source-vip enable" has been added in those rules. After enabling this option, FortiConverter would create SNAT rules from those VIP rules and remove "set nat-source-vip enable".

Specifies whether FortiConverter includes the input configuration lines used for each FortiGate policy in the FortiGate configuration as a policy comment.

Include the original comment in source file in the comment of the output policy.

Specifies whether FortiConverter ignores firewall policies with an "all" or "any" address when it merges a NAT rule and a firewall policy to create a FortiGate NAT policy.

FortiConverter creates new policies in the output configuration based on where NAT rules to firewall policies intersect. Because firewall policies that use "all" or "any" as the address create many intersections, Fortinet recommends that you ignore them.

When this option is enabled, a static NAT rule would be converted into a central SNAT rule and an unidirectional VIP object. Otherwise it would be converted into a bidirectional VIP object

Specifies which types of NAT FortiConverter merges with the output firewall policies, or whether FortiConverter performs NAT merge based on object names or values.

• Object Name Match – FortiConverter performs NAT merge based on matching address names in firewall policies and NAT rules.
• Object Content Overlap – FortiConverter performs NAT merge based on matching address values in firewall policies and NAT rules. It generates the most accurate matching of NAT rules and policies, but in most cases, it also generates more NAT policies.

Because it can take FortiConverter several hours to complete a conversion that include a large number of NAT rules, Fortinet recommends that you turn off or limit NAT merge for your initial conversion. Then, resolve any issues with the conversion before you run it again with NAT merge enabled. For more information, including sample matches, see NAT merge options.