Migrate Cisco ASA to Fortigate

johnlloyd_13 · ‎01-10-2025

hi,

i'll be refreshing HW and will migrate our cisco ASA to FGT.

my questions are:

1.our ASA environment is a context-based/multi-tenant FW, so when i create a new VDOM, do i always choose "central NAT" since it's closer on how ASA is implemented?

2.we have an ASA context solely used for IPSec VPN. do i also choose "central NAT" in this scenario?

3.can i create a new VDOM directly on the FGT device or is it best practice to do it via FMG?

4.i'll be ordering a forticonverter license to help with my ASA migration. is the result/conversion 100% accurate? or do i still need to manually inspect the output/config?

5.after i converted the ASA context/config in forticonverter, how do i apply the config on a FGT? do i apply the config directly on the FGT device? or via FMG?

apologies for all these questions since it will be my first time converting ASA to FGT.

looking forward to your reply. thanks in advance!

Anthony_E · ‎01-12-2025

Hello John,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Anthony-Fortinet Community Team.

AEK · ‎01-12-2025

Hi John

If ASA uses central SNAT then it is easier to migrate the NAT policy when you set your FGT to central SNAT as well. But you can still use central NAT or in-policy-NAT following your preference. Same for IPsec related question (Q2).

Fort VDOM creation, if your FGT unmanaged then you create directly from FGT (you don't have choice here), but in case it is managed by FMG then the more correct way is to create it from FMG.

As per my experience, the FortiConverter usually doesn't convert the config at 100%, so you usually need to do some manual job to complete the conversion. But is seems the FortiConverter cloud service converts much better than the tool, since there are Fortinet engineers that help you converting your config.

https://docs.fortinet.com/document/forticonverter/7.2.0/online-help/220359/supported-versions-and-co...

https://docs.fortinet.com/document/forticonverter-service/23.1.0/online-help/765339/3rd-party-securi...

So in general rule, if you have a single conversion, and you don't have enterprise subscription, then it is better to order FConv cloud service (better and more complete conversion, but I can't confirm if it is 100%), otherwise in case you have multiple conversion to perform during this year then it is probably more interesting (in terms of price) to order FConv tool subscription.

As it is a fresh conversion, I'd apply the config directly to the FGT (before connecting to FMG), then I'd integrate the FGT with the FMG.

AEK

johnlloyd_13 · ‎01-17-2025

hi,

thanks for these insights! unfortunately, our team has decided to go with policy-based FW rules/NAT (not central NAT).

by going this path, we can familiarize ourselves with FGT config/setup and move away from ASA mindset/tech.

i agree to do a hybrid job, i.e. use foritconverter and audit/config manually by hand since output is not always perfect.

since FGT is already added to FMG, i plan to apply the converted config separately: the interfaces, routes will be applied direct to the FGT, then it will auto update to FMG. the other part which is the address object, FW rules will be applied to FMG, will this plan work and a good idea?

AEK · ‎01-17-2025

Yes you can do that as well.

AEK

Migrate Cisco ASA to Fortigate

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website