From CISCO to FORTIGATE

FortiConverter can do this for you.

http://www.fortinet.com/p...ticonverter/index.html

Yeah forticonverter sounds good but what are you migrating from and too?

pix

asa

security-router

to a cluster fortigate?

NOTE: If you don't have  experience you should contract with a fortinet partner or consultant. professional services could be offer to easily lift and move from vendor XYZ to Fortinet

Than take out the cfg that's not relevent or that you don't need. What I would do if your moving from let's say a pix or asa, define your  L3 interfaces or if transparent mode, define your 2 in/out interfaces 1st.

Than do all firewall address ( objects in cisco lingo ) and then do any firewall polices

lastly, the  vpn and other misc.

Dump all of the polices and do a audit b4 and after and you might find you have to clean up a few items. A  <50 line or less PIX or ASA is nothing. A  51-1000  line fwpolicy pix/asa might be more challenging but still is not to hard.  When you get into  >1001 than that could become stressful.

It's not hard.. I'm converting from ASA5510's and 5505's to FG.. The best advice I can give you is a Fortigate calls a NAT, a VIP. Virtual IP. Why I have no idea..

Also in the cookbook I read when deploying it for the first them the example they give you for doing a VIP(NAT) they combine the VIP and PAT into the same statement! If  you follow this you'll need a VIP statement for every freeken port on a server. This would be fine if the server only has 1 port.. but my god WHY!.. 

Just leave the port part empty and control it like normal in the firewall rule. 

Best part of a FG is the "show" and "get" command when you are in a subsection of the CLI.. I"ve always wanted to know why Cisco can't do something like this!

bartman10, on Cisco, are you aware of "do show running-config" etc. when within the "en / conf t" scope? Basically use your typical command, but insert "do" in front of it to be able to execute the command while in a configure shell.

 IMO, it's not as nice as Fortinet's "show" and "get" ... But may help you if you have a mixed environment.

Best part of a FG is the "show" and "get" command when you are in a subsection of the CLI.. I"ve always wanted to know why Cisco can't do something like this!

And the cisco ASA and PIX both has had show commands for sections within the enable or config mode

E.g

show run access-list ( will display acl i.e could be your firewall policies )

show run crypto  ( show vpn details  )

show run tunnel-group  ( vpn peers )

show run dhcpd   ( dhcp servers)

IOS-XR would be the most similar with show within the configuration mode and sections. So yes cisco ASA OSes  it's not " fortiOS",  but it's cisco and it good & simple for those who has experience within. Show commands in cisco ASA are very similar built to a fortigate show/get in some places and areas it's better.

e.g

IOS show redirection and matches vrs the fortinet  limited "grep"

btw; JunOS is also similar to FortiOS with show commands with the additions of  display set and match options. As a matter of factor it's better  than cisco and even Fortinet imho and experience.

yes.. I know those commands.. but it's still not as slick as just "show,get" in the sub-menu I'm currently in.. 

Yeah, I agree personally... It's one of the things about our CLI that I prefer.