Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Migrate Checkpoint firewall to new Fortinet fi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Migrate Checkpoint firewall to new Fortinet firewall
Hi guys, i need some advice, we are planning to migrate from our old checkpoint firewall to new firewall Fortinet but i have no clue what is the easiest path to do it. In our environment every network device, server is using IP of the Checkpoint as gateway. (10.88.88.5)
Can i migrate server by server to the new firewall or do i need migrate whole vlans ? and what i need to do?
Should i give the new firewall IP 10.88.88.6 and change the gateway on the migrated servers to that IP?
But in this situation if for example i migrate SQL server IP: 10.88.88.100, but all the webservers will keep using old firewall as gateway, how they will communicate with the sql server?
Do i need create some rule?
Thanks and please advice?
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you want to stand up 2x side-by-side firewalls?
That can be done and with intra-vlan traffic it should work. But you might have to add intra-links to route from lans on fgt to chkp if required. 1st item; Do you have a new set up public-address on the wan side for the FGT
What I would also do is audit the global-nat table and objects since these can be tricky when you have side-by-side firewalls and especially when you have numerous DNAT rules and no additional public-subnets. So have you audited all objects in the CHKP including any vpncommnunities ?
Q1: Why can't you use the FortiGate converter and convert the chkp stuff to ftnt? IMHO if you have less than 200 rule I would not even buy the converter but just audit the CHKP stuff and recreate new host/network objects , VPN,nat rules, and at the same time this is a good time to monitor policy-count on each policy that you are migrating. The last time we migrated a chkp to FortiGate I removed over 100 unused or duplicate rules/objects. The converter does a pretty good job but you will have some items that will need fixing and object-nat are the biggest items to pay attention with. Once you have a successful convert see Q2 below
Q2: Can you take a 2-4 hour maintenance-window and just do a hot cut? If you successfully audit the objects in CHKP and recreate them into FortiOS, you only might need to pull a few cables and flip a few switchports. The beauty here , you do the cutover and be done, or if something does not work, you rollback. Running side-by-side firewall can be problematic if your network is complex. It works great when you have internal layer3 routing for local LANs but if you have gateways on the security-devices issues such as routing, etc......can become problematic at the end of the day
Q3: Are your CPSG doing any IDS or policy?
Q4: If you go with side-by-side ( FGT + CHKP ) you can maybe start with generic internal traffic to the internet and add or peel off web/sql or other applications network if your networks separated. Is that something your planning on doing?
just my few thoughts on the matter
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ken
Thank you for your input.
To answer your questions , I need to find safest way to do it. Yes I can have maintenance window for few hours.
I never knew about the converter, how much it costs and yes I have public addresses on FGT, actually some new servers are already using the new firewall
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiConverter is pretty slick, but buying a full license for one-time transition is not justifiable - even high level contractor per hour work will cost less. Ask your Fortinet account manager for details, I recall vaguely that full license for a year costs some 5-7K USD. If you have Enterprise 360 subscription though, you may initiate a one-time configuration conversion for one-time fee which is substantially less expensive, again inquire your Fortinet account manager for details.
I agree with what Ken wrote - running 2 firewalls in the same network at the same time is a recipe for a head ache if not disaster. You configure Fortigate from scratch, schedule downtime, move the cables from CP to FGT, verify most essential pre-agreed services, if they dont work - switch cables back, check FGT logs for these services what went wrong.
One word of caution - look in Checkpoint beyond obvious places like Rulebase in SmartDashboard - check SSL Exceptions, Policy Based Routing in Gaia portal, Route based VPN/VTI #vpn tu , routing table, and any place for customization to prevent surprises "Don't know how, but it worked in Checkpoint.."
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agreed on the latter statement made above..
The surprises always get you in the end. If you have a complex CHKP environment;; spend time looking deep and audit long to find anything you have and how to build it around the FGT.
As far side by side, it might be beneficial to look at new address schemas if you already at limits.
e.g
back in 2010 we had web and app server networks built around /24 subnets space and we were almost at 85-88% full, so when we migrated we built new /23 ( which is best practice for rfc1918 usage ) and we killed 2 bird-with-1-stone with migrating from a vendor to Fortigate and at the same time doubling our private lan sizing.
LAN-WEB01 existing 10.192.0.0/24 new 10.193.0.0/23 ( we went that route in order to change the 2nd octet and netmask size so server 10.192.0.10/24 on the old CHKP became 10.193.0.10/23 in the fortigate. And we cut over 4 web+app lans from the chkp to FGT over a course of 3-4 weeks using that approach. The vpns were left on CHKP and were cutover one-by-one but we also built a /31 FGT-2-CHKP wan-inter-link to give access to the VPN subnets.
YMMV, but spend some time auditing your existing inf and future needs. As far as FC pricing it has dropped by a lot. I think you can get it for 3-4K or even less. But again if you have 200 or fewer policies in the rulebase, I would NOT waste my money on FC but that imho and experience & it's not worth it. But if you had 1000+ policies it might be beneficial.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortiweb 7.6.0 WAF | Update should... 46 Views
- Wildcard for web filter 117 Views
- Fortigate DeepInspection - quic not working 230 Views
- Output traffic with default route BGP 549 Views
- Seeking Guidance on Configuring DHCP Relay... 259 Views
Labels
-
FortiGate
8,475 -
FortiClient
1,718 -
5.2
801 -
FortiManager
713 -
5.4
639 -
FortiAnalyzer
548 -
FortiAP
458 -
FortiSwitch
457 -
6.0
416 -
FortiClient EMS
408 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
222 -
FortiWeb
200 -
5.0
196 -
IPsec
186 -
FortiNAC
178 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1661 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.