Cisco Conversions
Cisco differences
General
- FortiGate’s set allowaccess command for interfaces doesn't exist on Cisco firewalls. Because FortiGate requires this setting, FortiConverter enables all services for interfaces by default.
- The postfix "_conflict" used for services prevents a service and a service group from having the same name. It is recommended that you rename these objects.
- On Cisco IPSec VPNs, Phase 1 (ISAKMP) supports more than two types of authentication methods. FortiGate supports only two types: pre-share and rsa-sig. Therefore, you must assign methods for each VPN connection. The wizard converts Cisco EZVPN configuration to FortiGate VPN policies with the srcintf "<tunnel-interface-name>" (i.e. phase1-interface object name) and dstintf "any".
- FortiConverter doesn't support the following Cisco configuration elements:
- Wild card netmasks for access-list and object- group objects
Cisco FTD support
Cisco FTD (Firepower Threat Defense) has two modules and maintain policies on both modules:
- LINA (layer 4 only)
- SNORT (layer 7 inspection)
FortiConverter tool can only support FTD's LINA component but not SNORT IPS engine rules.
NAT support
Software | Supported NAT types |
PIX FWSM ASA (8.2 and earlier) |
Dynamic NAT (NAT exemption, policy dynamic NAT, regular) Static NAT (Static NAT, Static PAT, Identity Static NAT) |
ASA (8.3 and later) |
Object NAT (Dynamic, Static) Twice NAT |
IOS |
Dynamic NAT Static NAT |
FTD (LINA) |
Object NAT(Dynamic, Static) Twice NAT |
FortiConverter doesn't support the following NAT features:
- Double NAT, Identity NAT, and NAT Exemption
To reduce the number of NAT polices a conversion generates, FortiConverter doesn't convert Static NAT rules in which the source and mapped IPs are the same.