Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Arnold77
New Contributor

migration from Checkpoint 3000 to Forti100E

Hello everybody,

  In my environment i have two appliances Checkpoint 3000 in cluster and Management server as VM, version R80.10. I want to rid of Checkpoint firewall and replace them with forti100E. Does it possible to migrate completely from Checkpoint to Forti100E with forticonverter without issues?

What is the best way to make this migration successful? Does anyone make this migration process?    Best Regards.

4 REPLIES 4
Heaven_Knows
New Contributor III

Arnold77 wrote:

Hello everybody,

  In my environment i have two appliances Checkpoint 3000 in cluster and Management server as VM, version R80.10. I want to rid of Checkpoint firewall and replace them with forti100E. Does it possible to migrate completely from Checkpoint to Forti100E with forticonverter without issues?

What is the best way to make this migration successful? Does anyone make this migration process?  Best Regards.

Dear brother

I think that there is no way to get help here for a very specified case.

This is just convert network setting from one device to another with different types of hardware

You can compare the configuration structure of both config files , and find away to convert old settings to new , this can help you save time.

emnoc
Esteemed Contributor III

Yes FConverter would help. You still need to review the policy and especially areas that cover nat and logging.

 

So yes if you do not want to do it manually, use the migration tool and review the number of elements ( groups, hosts|network, policy,etc...) and make adjustments as required.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

aluby7
New Contributor

I'm about to do something similar. If you have completed this already I'd love any information you have about pitfalls or learned lessons you have.

 

My main thoughts currently are:

[ul]
  • Convincing the CheckPoint Management Server to start managing remote CheckPoints through a Fortinet Gateway instead of a CheckPoint
  • Making new VPN Communities in the CheckPoint Management server that say to start using the Fortinet as the central gateway in a new PSK based VPN
  • Having both the current CheckPoints and the new Fortinet's  partially online at the same time so the CheckPoint management server can send requests through the CheckPoint gateway to remote gateways to change their configuration and point them to the Fortinet instead[/ul]
  • emnoc
    Esteemed Contributor III

    That's all good and dandy. You do know this thread is lightyears old 

     

    So are you mainly concern with cpsg gateways at the remote and vpns? If the end-devices are  CPSG and your want to migrate off the central HQ 3000 to let's say a FGTXXXXX, you could build a new vpn-community, apply the gateway address of the FGT and then install that policy to redirect that "spoke" to the new HUB. 

     

    And then disable the old policy at the CHKP  3000 and adjust for any routing thru the new fortigate. I worked a project that was just like the above with walking over vpn-spokes one at a time and it was doable. Afterward we monitor the rule and encryption/decryption details in the eventlogs to ensure that new tunnel was up or use vpn tunnelutility.  After you figure out the plan and steps, you could easily migrate  a few per night or during a maintenance window.

     

    Just my 2cts, and god I hate CHKP 

     

    Ken Felix

    PCNSE 

    NSE 

    StrongSwan