Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bardeg
New Contributor

Migrate Checkpoint firewall to new Fortinet firewall

Hi guys, i need some advice, we are planning to migrate from our old checkpoint firewall to new firewall Fortinet but i have no clue what is the easiest path to do it. In our environment every network device, server is using IP of the Checkpoint as gateway. (10.88.88.5) Can i migrate server by server to the new firewall or do i need migrate whole vlans ? and what i need to do? Should i give the new firewall IP 10.88.88.6 and change the gateway on the migrated servers to that IP? But in this situation if for example i migrate SQL server IP: 10.88.88.100, but all the webservers will keep using old firewall as gateway, how they will communicate with the sql server? Do i need create some rule? Thanks and please advice?
4 REPLIES 4
emnoc
Esteemed Contributor III

So you want to stand up 2x side-by-side firewalls?

 

That can be done and with intra-vlan traffic it should work. But you might have to add intra-links to route from lans on fgt to chkp if required. 1st item; Do you have a new set up public-address on the wan side for the FGT

 

What I would also do is audit the global-nat table and objects since these can be tricky when you have side-by-side firewalls and especially when you have numerous DNAT rules and no additional public-subnets. So have you audited all objects in the CHKP including any vpncommnunities ?

 

Q1: Why can't you use the FortiGate converter and convert the chkp stuff to ftnt? IMHO if you have less than 200 rule I would not even buy the converter but just audit the CHKP stuff and recreate new host/network objects , VPN,nat rules, and at the same time this is a good time to monitor policy-count on each policy that you are migrating. The last time we migrated a chkp to FortiGate I removed over 100 unused or duplicate rules/objects. The converter does a pretty good job but you will have some items that will need fixing and object-nat are the biggest items to pay attention with. Once you have  a successful convert see Q2 below

 

Q2: Can you take a 2-4 hour maintenance-window and just do a hot cut? If you successfully audit the objects in CHKP and recreate them into FortiOS, you only might need to pull a few cables and flip a few switchports. The beauty here , you do the cutover and be done, or if something does not work, you rollback. Running side-by-side firewall can be problematic if your network is complex. It works  great when you have internal layer3 routing for local LANs but if you have gateways on the security-devices issues such as routing, etc......can become problematic at the end of the day

 

Q3: Are your CPSG doing any IDS or policy?

 

Q4: If you go with side-by-side ( FGT + CHKP ) you can maybe start with generic internal traffic to the internet and add or peel off web/sql or other applications network if your networks separated. Is that something your planning on doing?

 

 

just my few thoughts on the matter 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
bardeg
New Contributor

Hi Ken Thank you for your input. To answer your questions , I need to find safest way to do it. Yes I can have maintenance window for few hours. I never knew about the converter, how much it costs and yes I have public addresses on FGT, actually some new servers are already using the new firewall
Yurisk
Valued Contributor

FortiConverter is pretty slick, but buying a full license for one-time transition is not justifiable - even high level contractor per hour work will cost less. Ask your Fortinet account manager for details, I recall vaguely that full license for a year costs some 5-7K USD. If you have Enterprise 360 subscription though, you may initiate a one-time configuration conversion for one-time fee which is substantially less expensive, again inquire your Fortinet account manager for details. 

 

I agree with what Ken wrote - running 2 firewalls in the same network at the same time is a recipe for a head ache if not disaster.  You configure Fortigate from scratch, schedule downtime, move the cables from CP to FGT, verify most essential pre-agreed services, if they dont work - switch cables back, check FGT logs for these services what went wrong. 

 

One word of caution - look in Checkpoint beyond obvious places like Rulebase in SmartDashboard - check SSL Exceptions, Policy Based Routing in Gaia portal, Route based VPN/VTI #vpn tu , routing table,  and any place for customization to prevent surprises "Don't know how, but it worked in Checkpoint.." 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
emnoc
Esteemed Contributor III

I agreed on the latter statement made above..

 

The surprises always get you in the end. If you have a complex CHKP environment;; spend time looking  deep and audit long to find anything you have and how to build it around the FGT.

 

As far side by side, it might be beneficial to look at new address schemas if you already at limits. 

 

e.g

 

back in 2010 we had web and app server networks built around /24 subnets space and we were almost at 85-88% full, so when we migrated we built new /23 ( which is best practice for rfc1918 usage ) and we killed 2 bird-with-1-stone with migrating from a vendor to Fortigate and at the same time doubling our private lan sizing.

 

LAN-WEB01 existing 10.192.0.0/24 new 10.193.0.0/23 ( we went that route in order to change the 2nd octet and netmask size so server 10.192.0.10/24 on the old CHKP became 10.193.0.10/23 in the fortigate. And we cut over 4 web+app lans from the chkp to FGT over a course of  3-4 weeks using that approach. The vpns were left on CHKP and were cutover one-by-one but we also built a /31 FGT-2-CHKP wan-inter-link to give access to the VPN subnets.

 

YMMV,  but spend some time auditing your existing inf and future needs. As far as FC pricing it has dropped by a lot. I think you can get it for 3-4K or even less. But again if you have 200 or fewer policies in the rulebase, I would NOT waste my money on  FC but that imho and experience &  it's not worth it. But if you had 1000+ policies it might be beneficial.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Top Kudoed Authors