Fortinet white logo
Fortinet white logo

Online Help

Palo Alto Start options

Palo Alto Start options

This table lists the start settings.

Setting Description
Profile
Description Enter a description of the configuration.
Output Options
Output Format Select the appropriate output for your target Fortinet device.
FOS Version The configuration syntax is slightly different among FortiOS 6.4, 7.0, 7.2, and 7.4. Select the version that corresponds to the FortiOS version on the target.
Input
Source Configuration Select the input file.

Bulk Conversion

If there are many devices to be converted where all of them are the same model, sharing the same interface mapping relationship in conversion, then bulk conversion can convert all of them at once. Collect all the configuration files to be converted, compress them into a ZIP file and use the ZIP file as the input.

Panorama Configuration(optional)

Upload the panorama config to be converted together with device config.

Application Default Services Table(csv format)

(optional)

Select the application default services table in CSV format. This file should include the PAN application names and standard ports information. FortiConverter uses the information in the file to convert PAN application names to FortiGate service names.

Target device (Optional)

Target device

Select the model of the target device, or select a device connected to FortiConverter.

Conversion Options
Discard unreferenced firewall objects Specifies whether addresses and services that aren't referenced by a policy are saved and added to the output. This option can be useful if your target device has table size limitations. You can view the unreferenced objects that FortiConverter removed on the Tuning page.
Increase Address and Service Table Sizes for High-End Models You can customize the maximum table sizes that FortiConverter uses when Adjust table sizes is selected. For more information, see Adjusting table sizes.

Policy index start from 1 instead of 10000

When selected, the serial number of firewall policies will start from 1 instead of 10000.

Converted source vendor's application ID as-is

When selected, the converter will generate "set application <original app-name as-is>" into firewall policy, if an application is defined for it. The output still requires manual processing.

NGFW policy-based mode

When selected, the conversion will be in NGFW policy-based mode.

"firewall policy" will become "firewall security-policy" instead, and "set application 00000" will be generated in policies, which requires manual processing. There will also be some other minor differences adapted for the NGFW policy-based CLI.

Convert "log-start" or "log-end" to "set logtraffic-start enable" in policy

When a policy has "<log-end>" or "<log-start>", it will be converted as "set logtraffic-start enable".

Convert URL filters into FQDNs and external resources

When this option is enabled, the URL filters in the Palo Alto configs would be converted. For those URL categories which only have domain names, they will be converted into a group containing FQDN objects. For those URL categories which contain URL with path, they will be converted into external resources. User will need to set up a server to maintain the URL list externally.

Set extintf to "any" under "config firewall vip"

When selected, all vip extintf value will be set to "any". Only available when central NAT mode is enabled.

Convert URL category to webfilter profile

When selected, url categories will be converted to webfilter profile instead of to address objects/groups.

Convert policy tag to global-label

PaloAlto exclusive option, covert PAN policy’s tag into FGT policy’s global-label for grouping policies

Expand profile group in policies

Replace the profile groups configured in firewall policies into the individual security profiles in the group.

Virtual Router Options

Merge virtual routers into the default VRF

When this option is enabled, all the interfaces and routes assigned to virtual routers will be converted with no VRF(Virtual Routing and Forwarding) settings, which means they will all belong to the default VRF.

Convert virtual routers into FOS VRFs

When this option is enabled, each virtual router would be converted into a VRF in FortiOS.

Comment Options
Include input configuration lines for each output policy Specifies whether FortiConverter includes the input configuration lines used for each FortiGate policy in the FortiGate configuration as a policy comment.
Interface Comment Specifies whether FortiConverter copies the interface comment from the source configuration to the mapped FortiGate interface.
Address Comment Specifies whether FortiConverter copies the address comment from source configuration to the converted FortiGate address.
Service Comment Specifies whether FortiConverter copies the service comment from the source configuration to converted FortiGate service.
Nat Merge Options
Ignore firewall policies with all or any addresses when processing NAT rules Specifies whether FortiConverter ignores firewall policies with an "all" or "any" address when it merges a NAT rule and a firewall policy to create a FortiGate NAT policy. FortiConverter creates new policies in the output configuration based on where NAT rules to firewall policies intersect. Because firewall policies that use "all" or "any" as the address create many intersections, Fortinet recommends that you ignore them.
Enable central NAT merge Specifies whether FortiConverter converts NATs to FortiGate central NATs instead of policy-based NATs. It is recommended to enable this option with FOS 6.0.

Palo Alto Start options

Palo Alto Start options

This table lists the start settings.

Setting Description
Profile
Description Enter a description of the configuration.
Output Options
Output Format Select the appropriate output for your target Fortinet device.
FOS Version The configuration syntax is slightly different among FortiOS 6.4, 7.0, 7.2, and 7.4. Select the version that corresponds to the FortiOS version on the target.
Input
Source Configuration Select the input file.

Bulk Conversion

If there are many devices to be converted where all of them are the same model, sharing the same interface mapping relationship in conversion, then bulk conversion can convert all of them at once. Collect all the configuration files to be converted, compress them into a ZIP file and use the ZIP file as the input.

Panorama Configuration(optional)

Upload the panorama config to be converted together with device config.

Application Default Services Table(csv format)

(optional)

Select the application default services table in CSV format. This file should include the PAN application names and standard ports information. FortiConverter uses the information in the file to convert PAN application names to FortiGate service names.

Target device (Optional)

Target device

Select the model of the target device, or select a device connected to FortiConverter.

Conversion Options
Discard unreferenced firewall objects Specifies whether addresses and services that aren't referenced by a policy are saved and added to the output. This option can be useful if your target device has table size limitations. You can view the unreferenced objects that FortiConverter removed on the Tuning page.
Increase Address and Service Table Sizes for High-End Models You can customize the maximum table sizes that FortiConverter uses when Adjust table sizes is selected. For more information, see Adjusting table sizes.

Policy index start from 1 instead of 10000

When selected, the serial number of firewall policies will start from 1 instead of 10000.

Converted source vendor's application ID as-is

When selected, the converter will generate "set application <original app-name as-is>" into firewall policy, if an application is defined for it. The output still requires manual processing.

NGFW policy-based mode

When selected, the conversion will be in NGFW policy-based mode.

"firewall policy" will become "firewall security-policy" instead, and "set application 00000" will be generated in policies, which requires manual processing. There will also be some other minor differences adapted for the NGFW policy-based CLI.

Convert "log-start" or "log-end" to "set logtraffic-start enable" in policy

When a policy has "<log-end>" or "<log-start>", it will be converted as "set logtraffic-start enable".

Convert URL filters into FQDNs and external resources

When this option is enabled, the URL filters in the Palo Alto configs would be converted. For those URL categories which only have domain names, they will be converted into a group containing FQDN objects. For those URL categories which contain URL with path, they will be converted into external resources. User will need to set up a server to maintain the URL list externally.

Set extintf to "any" under "config firewall vip"

When selected, all vip extintf value will be set to "any". Only available when central NAT mode is enabled.

Convert URL category to webfilter profile

When selected, url categories will be converted to webfilter profile instead of to address objects/groups.

Convert policy tag to global-label

PaloAlto exclusive option, covert PAN policy’s tag into FGT policy’s global-label for grouping policies

Expand profile group in policies

Replace the profile groups configured in firewall policies into the individual security profiles in the group.

Virtual Router Options

Merge virtual routers into the default VRF

When this option is enabled, all the interfaces and routes assigned to virtual routers will be converted with no VRF(Virtual Routing and Forwarding) settings, which means they will all belong to the default VRF.

Convert virtual routers into FOS VRFs

When this option is enabled, each virtual router would be converted into a VRF in FortiOS.

Comment Options
Include input configuration lines for each output policy Specifies whether FortiConverter includes the input configuration lines used for each FortiGate policy in the FortiGate configuration as a policy comment.
Interface Comment Specifies whether FortiConverter copies the interface comment from the source configuration to the mapped FortiGate interface.
Address Comment Specifies whether FortiConverter copies the address comment from source configuration to the converted FortiGate address.
Service Comment Specifies whether FortiConverter copies the service comment from the source configuration to converted FortiGate service.
Nat Merge Options
Ignore firewall policies with all or any addresses when processing NAT rules Specifies whether FortiConverter ignores firewall policies with an "all" or "any" address when it merges a NAT rule and a firewall policy to create a FortiGate NAT policy. FortiConverter creates new policies in the output configuration based on where NAT rules to firewall policies intersect. Because firewall policies that use "all" or "any" as the address create many intersections, Fortinet recommends that you ignore them.
Enable central NAT merge Specifies whether FortiConverter converts NATs to FortiGate central NATs instead of policy-based NATs. It is recommended to enable this option with FOS 6.0.