So you want to stand up 2x side-by-side firewalls?
That can be done and with intra-vlan traffic it should work. But you might have to add intra-links to route from lans on fgt to chkp if required. 1st item; Do you have a new set up public-address on the wan side for the FGT
What I would also do is audit the global-nat table and objects since these can be tricky when you have side-by-side firewalls and especially when you have numerous DNAT rules and no additional public-subnets. So have you audited all objects in the CHKP including any vpncommnunities ?
Q1: Why can't you use the FortiGate converter and convert the chkp stuff to ftnt? IMHO if you have less than 200 rule I would not even buy the converter but just audit the CHKP stuff and recreate new host/network objects , VPN,nat rules, and at the same time this is a good time to monitor policy-count on each policy that you are migrating. The last time we migrated a chkp to FortiGate I removed over 100 unused or duplicate rules/objects. The converter does a pretty good job but you will have some items that will need fixing and object-nat are the biggest items to pay attention with. Once you have a successful convert see Q2 below
Q2: Can you take a 2-4 hour maintenance-window and just do a hot cut? If you successfully audit the objects in CHKP and recreate them into FortiOS, you only might need to pull a few cables and flip a few switchports. The beauty here , you do the cutover and be done, or if something does not work, you rollback. Running side-by-side firewall can be problematic if your network is complex. It works great when you have internal layer3 routing for local LANs but if you have gateways on the security-devices issues such as routing, etc......can become problematic at the end of the day
Q3: Are your CPSG doing any IDS or policy?
Q4: If you go with side-by-side ( FGT + CHKP ) you can maybe start with generic internal traffic to the internet and add or peel off web/sql or other applications network if your networks separated. Is that something your planning on doing?
just my few thoughts on the matter
Ken Felix
PCNSE
NSE
StrongSwan
FortiConverter is pretty slick, but buying a full license for one-time transition is not justifiable - even high level contractor per hour work will cost less. Ask your Fortinet account manager for details, I recall vaguely that full license for a year costs some 5-7K USD. If you have Enterprise 360 subscription though, you may initiate a one-time configuration conversion for one-time fee which is substantially less expensive, again inquire your Fortinet account manager for details.
I agree with what Ken wrote - running 2 firewalls in the same network at the same time is a recipe for a head ache if not disaster. You configure Fortigate from scratch, schedule downtime, move the cables from CP to FGT, verify most essential pre-agreed services, if they dont work - switch cables back, check FGT logs for these services what went wrong.
One word of caution - look in Checkpoint beyond obvious places like Rulebase in SmartDashboard - check SSL Exceptions, Policy Based Routing in Gaia portal, Route based VPN/VTI #vpn tu , routing table, and any place for customization to prevent surprises "Don't know how, but it worked in Checkpoint.."
I agreed on the latter statement made above..
The surprises always get you in the end. If you have a complex CHKP environment;; spend time looking deep and audit long to find anything you have and how to build it around the FGT.
As far side by side, it might be beneficial to look at new address schemas if you already at limits.
e.g
back in 2010 we had web and app server networks built around /24 subnets space and we were almost at 85-88% full, so when we migrated we built new /23 ( which is best practice for rfc1918 usage ) and we killed 2 bird-with-1-stone with migrating from a vendor to Fortigate and at the same time doubling our private lan sizing.
LAN-WEB01 existing 10.192.0.0/24 new 10.193.0.0/23 ( we went that route in order to change the 2nd octet and netmask size so server 10.192.0.10/24 on the old CHKP became 10.193.0.10/23 in the fortigate. And we cut over 4 web+app lans from the chkp to FGT over a course of 3-4 weeks using that approach. The vpns were left on CHKP and were cutover one-by-one but we also built a /31 FGT-2-CHKP wan-inter-link to give access to the VPN subnets.
YMMV, but spend some time auditing your existing inf and future needs. As far as FC pricing it has dropped by a lot. I think you can get it for 3-4K or even less. But again if you have 200 or fewer policies in the rulebase, I would NOT waste my money on FC but that imho and experience & it's not worth it. But if you had 1000+ policies it might be beneficial.
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.