Fortinet white logo
Fortinet white logo

Online Help

Juniper Start options

Juniper Start options

This table lists the start settings.

Setting Description
Profile
Description Enter a description of the configuration.
Output Options
Output Format Select the appropriate output for your target Fortinet device.
FOS Version The configuration syntax is slightly different among FortiOS 6.4, 7.0, 7.2, and 7.4. Select the version that corresponds to the FortiOS version on the target.
Input
Source Configuration Select the input file or files.

Bulk Conversion

If there are many devices to be converted where all of them are the same model, sharing the same interface mapping relationship in conversion, then bulk conversion can convert all of them at once. Collect all the configuration files to be converted, compress them into a ZIP file and use the ZIP file as the input.

Conversion Options
Discard unreferenced firewall objects Specifies whether addresses, schedules, and services that aren't referenced by a policy are saved and added to the output. This option can be useful if your target device has table size limitations. You can view the unreferenced objects that FortiConverter removed on the Tuning page.
Increase Address and Service Table Sizes for High-End Models You can customize the maximum table sizes that FortiConverter uses when Adjust table sizes is selected. For more information, see Adjusting table sizes
Route-based IPSec Specifies whether Route-based IPSec is used for this conversion.

Convert virtual router into FOS virtual domain

FortiOS doesn’t have a corresponding feature to the virtual router in Juniper SRX, but it is an approach to convert a virtual router into an independent VDOM in FortiOS. When this option is enabled, each virtual router would be converted into a VDOM.

Enable consolidated policy mode

Enable consolidated mode in FortiOS and convert security rules into consolidated policies which are able to reference both IPv4 and IPv6 addresses in a single policy.

Use Zone name instead of number to distinguish duplicate address names (SRX only)

Juniper SRX may have multiple address objects with the same name but tied to different zones. When this option is enabled, duplicate address name will be converted to origname_zonename. When disabled, they will be converted to origname_1, origname_2 … etc.

Enable consolidated policy mode

(Only available for FortiOS 6.2 conversions) Enable consolidated mode in FortiOS and convert security rules into consolidated policies which are able to reference both IPv4 and IPv6 addresses in a single policy.

Migrate VIP src-filter into policy src-addr

When this option is enabled, a policy using VIPs as destinations would use the source filter of the VIPs as source addresses.

Set src/dst interfaces to "any" in policies

When this option is enabled, the source and destination interfaces of all the policies would be set to "any".

Set extintf to "any" under "config firewall vip"

When selected, all vip extintf value will be set to “any”. Only available when central NAT mode is enabled.

Target device (Optional)

Target device

Select the model of the target device, or select a device connected to FortiConverter.

Comment Options
Include input configuration lines for each output policy Specifies whether FortiConverter includes the input configuration lines used for each FortiGate policy in the FortiGate configuration as a policy comment.
Interface Comment Specifies whether FortiConverter copies the interface comment from the source configuration to the mapped FortiGate interface.
Address Comment Specifies whether FortiConverter copies the address comment from source configuration to the converted FortiGate address.
Service Comment Specifies whether FortiConverter copies the service comment from the source configuration to converted FortiGate service.
Rule comment Specifies whether FortiConverter copies the security rule comment from the source configuration to converted FortiGate service.

Rule annotated comment (SRX only)

Specifies whether FortiConverter copies the annotated lines in rules from the source configuration to converted FortiGate policies.

NAT Merge Options

Ignore firewall policies with all or any addresses when processing NAT rules

(SRX only)

Specifies whether FortiConverter ignores firewall policies with an "all" or "any" address when it merges a NAT rule and a firewall policy to create a FortiGate NAT policy.

FortiConverter creates new policies in the output configuration based on where NAT rules to firewall policies intersect. Because firewall policies that use "all" or "any" as the address create many intersections, Fortinet recommends that you ignore them.

Enable Central NAT merge Specifies whether FortiConverter converts NATs to FortiGate central NATs instead of policy-based NATs.

Convert Static NATs into VIP/source NAT pair

When this option is enabled (in policy NAT mode only), a static NAT rule would be converted into a central SNAT rule and an unidirectional VIP object. Otherwise it would be converted into a bidirectional VIP object

NAT Merge Depth (SRX only)
Source NAT

Specifies which types of NAT FortiConverter merges with the output firewall policies, or whether FortiConverter performs NAT merge based on object names or values.

  • Off – FortiConverter converts firewall policies only and doesn't perform NAT merge for this type of NAT. This is useful for performing a quick, initial conversion to discover any conversion issues.
  • Object Names – FortiConverter performs NAT merge based on matching address names in firewall policies and NAT rules.
  • Object Values – FortiConverter performs NAT merge based on matching address values in firewall policies and NAT rules. It generates the most accurate matching of NAT rules and policies, but in most cases, it also generates more NAT policies.

Because it can take FortiConverter several hours to complete a conversion that include a large number of NAT rules, Fortinet recommends that you turn off or limit NAT merge for your initial conversion. Then, resolve any issues with the conversion before you run it again with NAT merge enabled. For more information, including example matches, see NAT merge options.

Static NAT
Destination NAT

Juniper Start options

Juniper Start options

This table lists the start settings.

Setting Description
Profile
Description Enter a description of the configuration.
Output Options
Output Format Select the appropriate output for your target Fortinet device.
FOS Version The configuration syntax is slightly different among FortiOS 6.4, 7.0, 7.2, and 7.4. Select the version that corresponds to the FortiOS version on the target.
Input
Source Configuration Select the input file or files.

Bulk Conversion

If there are many devices to be converted where all of them are the same model, sharing the same interface mapping relationship in conversion, then bulk conversion can convert all of them at once. Collect all the configuration files to be converted, compress them into a ZIP file and use the ZIP file as the input.

Conversion Options
Discard unreferenced firewall objects Specifies whether addresses, schedules, and services that aren't referenced by a policy are saved and added to the output. This option can be useful if your target device has table size limitations. You can view the unreferenced objects that FortiConverter removed on the Tuning page.
Increase Address and Service Table Sizes for High-End Models You can customize the maximum table sizes that FortiConverter uses when Adjust table sizes is selected. For more information, see Adjusting table sizes
Route-based IPSec Specifies whether Route-based IPSec is used for this conversion.

Convert virtual router into FOS virtual domain

FortiOS doesn’t have a corresponding feature to the virtual router in Juniper SRX, but it is an approach to convert a virtual router into an independent VDOM in FortiOS. When this option is enabled, each virtual router would be converted into a VDOM.

Enable consolidated policy mode

Enable consolidated mode in FortiOS and convert security rules into consolidated policies which are able to reference both IPv4 and IPv6 addresses in a single policy.

Use Zone name instead of number to distinguish duplicate address names (SRX only)

Juniper SRX may have multiple address objects with the same name but tied to different zones. When this option is enabled, duplicate address name will be converted to origname_zonename. When disabled, they will be converted to origname_1, origname_2 … etc.

Enable consolidated policy mode

(Only available for FortiOS 6.2 conversions) Enable consolidated mode in FortiOS and convert security rules into consolidated policies which are able to reference both IPv4 and IPv6 addresses in a single policy.

Migrate VIP src-filter into policy src-addr

When this option is enabled, a policy using VIPs as destinations would use the source filter of the VIPs as source addresses.

Set src/dst interfaces to "any" in policies

When this option is enabled, the source and destination interfaces of all the policies would be set to "any".

Set extintf to "any" under "config firewall vip"

When selected, all vip extintf value will be set to “any”. Only available when central NAT mode is enabled.

Target device (Optional)

Target device

Select the model of the target device, or select a device connected to FortiConverter.

Comment Options
Include input configuration lines for each output policy Specifies whether FortiConverter includes the input configuration lines used for each FortiGate policy in the FortiGate configuration as a policy comment.
Interface Comment Specifies whether FortiConverter copies the interface comment from the source configuration to the mapped FortiGate interface.
Address Comment Specifies whether FortiConverter copies the address comment from source configuration to the converted FortiGate address.
Service Comment Specifies whether FortiConverter copies the service comment from the source configuration to converted FortiGate service.
Rule comment Specifies whether FortiConverter copies the security rule comment from the source configuration to converted FortiGate service.

Rule annotated comment (SRX only)

Specifies whether FortiConverter copies the annotated lines in rules from the source configuration to converted FortiGate policies.

NAT Merge Options

Ignore firewall policies with all or any addresses when processing NAT rules

(SRX only)

Specifies whether FortiConverter ignores firewall policies with an "all" or "any" address when it merges a NAT rule and a firewall policy to create a FortiGate NAT policy.

FortiConverter creates new policies in the output configuration based on where NAT rules to firewall policies intersect. Because firewall policies that use "all" or "any" as the address create many intersections, Fortinet recommends that you ignore them.

Enable Central NAT merge Specifies whether FortiConverter converts NATs to FortiGate central NATs instead of policy-based NATs.

Convert Static NATs into VIP/source NAT pair

When this option is enabled (in policy NAT mode only), a static NAT rule would be converted into a central SNAT rule and an unidirectional VIP object. Otherwise it would be converted into a bidirectional VIP object

NAT Merge Depth (SRX only)
Source NAT

Specifies which types of NAT FortiConverter merges with the output firewall policies, or whether FortiConverter performs NAT merge based on object names or values.

  • Off – FortiConverter converts firewall policies only and doesn't perform NAT merge for this type of NAT. This is useful for performing a quick, initial conversion to discover any conversion issues.
  • Object Names – FortiConverter performs NAT merge based on matching address names in firewall policies and NAT rules.
  • Object Values – FortiConverter performs NAT merge based on matching address values in firewall policies and NAT rules. It generates the most accurate matching of NAT rules and policies, but in most cases, it also generates more NAT policies.

Because it can take FortiConverter several hours to complete a conversion that include a large number of NAT rules, Fortinet recommends that you turn off or limit NAT merge for your initial conversion. Then, resolve any issues with the conversion before you run it again with NAT merge enabled. For more information, including example matches, see NAT merge options.

Static NAT
Destination NAT