Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

Migration

There are two primary reasons to migrate a FortiGate:

  • A FortiGate is been replaced with a different model.

  • A different firewall is being replaced with a FortiGate.

The following steps can be used to help with you migration:

  1. Audit the current configuration:

    • Remove any unused objects or policies.

    • Analyze the existing policies by assessing traffic flow through the FortiGate and defining what the traffic should look like to determine if any of the policies can be combined.

  2. Create diagrams mapping the existing firewall to the new FortiGate.

    For example, port1 on the old firewall could be port2 on the new FortiGate.

  3. Configure the general settings first:

    • Interface settings: IP addresses, alias, management access, VLANs

    • Routing: static and dynamic routes

    • HA, if applicable

    • Administrative settings: user account, remove authentication server integration, SNMP, logging, and others

    • Certificates

  4. Create the used objects on the FortiGate.

  5. Create policies

    • Separate them into sections applicable to your use case and configure them one at a time, for example: by business group (HR, accounting), or by application or service (email, CRM).

  6. Create an acceptance test plan:

    • This must be executed as part of the cut-over maintenance window.

    • Have an employee from each affected section verify functionality after the cut-over.

    • If applicable, test HA failover.

  7. Verify that the migration worked as planned as far as is possible. A lab that can simulate your normal traffic makes this much easier.

  8. Install the new FortiGate during the maintenance window.

    • If possible, install the new FortiGate alongside the existing firewall and only cut-over a small, select group of users.

    • Have a back-up plan in the event that the cut-over does not go as planned.

  9. Run user acceptance testing:

    • Have all affected parties ensure that their requirements are unaffected by the change.

Fortinet offers FortiConverter as a one time, paid service that helps migrate configurations to a new FortiGate. It reduces migration complexity, and eliminates common migration configuration errors. For details on purchasing the FortiConverter service, contact you Fortinet sales partner or reseller. After the configuration generated by FortiConverter has been loaded onto the target device, Fortinet technical support or Technical Assistance Center (TAC) can assist with any issues.

Migration

There are two primary reasons to migrate a FortiGate:

  • A FortiGate is been replaced with a different model.

  • A different firewall is being replaced with a FortiGate.

The following steps can be used to help with you migration:

  1. Audit the current configuration:

    • Remove any unused objects or policies.

    • Analyze the existing policies by assessing traffic flow through the FortiGate and defining what the traffic should look like to determine if any of the policies can be combined.

  2. Create diagrams mapping the existing firewall to the new FortiGate.

    For example, port1 on the old firewall could be port2 on the new FortiGate.

  3. Configure the general settings first:

    • Interface settings: IP addresses, alias, management access, VLANs

    • Routing: static and dynamic routes

    • HA, if applicable

    • Administrative settings: user account, remove authentication server integration, SNMP, logging, and others

    • Certificates

  4. Create the used objects on the FortiGate.

  5. Create policies

    • Separate them into sections applicable to your use case and configure them one at a time, for example: by business group (HR, accounting), or by application or service (email, CRM).

  6. Create an acceptance test plan:

    • This must be executed as part of the cut-over maintenance window.

    • Have an employee from each affected section verify functionality after the cut-over.

    • If applicable, test HA failover.

  7. Verify that the migration worked as planned as far as is possible. A lab that can simulate your normal traffic makes this much easier.

  8. Install the new FortiGate during the maintenance window.

    • If possible, install the new FortiGate alongside the existing firewall and only cut-over a small, select group of users.

    • Have a back-up plan in the event that the cut-over does not go as planned.

  9. Run user acceptance testing:

    • Have all affected parties ensure that their requirements are unaffected by the change.

Fortinet offers FortiConverter as a one time, paid service that helps migrate configurations to a new FortiGate. It reduces migration complexity, and eliminates common migration configuration errors. For details on purchasing the FortiConverter service, contact you Fortinet sales partner or reseller. After the configuration generated by FortiConverter has been loaded onto the target device, Fortinet technical support or Technical Assistance Center (TAC) can assist with any issues.