Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Migration for cisco ASA to Fortinet 1000D:

Dear friends,

Actually we are planning to migrate from cisco ASA firewall to Fortinet. so i am using foticonverter for converting those Rules,NAT, VPN and all policies on cisco firewall.


Migration for cisco ASA to Fortinet 1000D:


Will forticonverter will help to migrate all those stuffs to fortigate. Which converter is the best for migration? Do i need to purchase any license for migration? What are all the stuffs will be migrating from Cisco ASA to Fortigate? What stuffs will not be migrating through converter? What the things need to be configured manually? What is the best practices for doing all those things?


Awaiting for your reply.



Best regards,


New Contributor

These are great questions Karthik. I find myself in the same situation. Too bad the forums are so quiet.


I made the mistake of thinking that since the FortiConverter helps customers migrate to Fortinet that they'd want to provide it free-of-charge.

Esteemed Contributor III




  • yes it's not free
  • yes it does a good job , but some item will STILL  need to be reviewed after conversion
  • it's not 100% fool-proof
  • your sales team can give you a demo ( free )
  • read the release notes on what's is or not supported and based on cisco ASA or PIX or whatever
  • review all ipsec and webvpn stuff and convert these by had or manually imho
  • after all of the above, than give it a spin  if you think it will help[/ul]


    FWIW if you have one cisco ASA and let's say under 100 fwpolicy and under 100 address objects, you are not doing anything crazy with multi-context o qos, I would not waste buying a FortiConvertor.


    It's a tool but it's not 100% fool-proof or  even required for 7 out of 10 orgs that I've see purchase it. I also would not  migrating anything without conducting a 1st fw-security audit and review what you have NOW. It makes no sense to migrate junk  or bad practices  or implementation from one cisco ASA to a fortigate imho ;)






  • PCNSE 



    PCNSE NSE StrongSwan
    Valued Contributor

    It is a wonderful tool that you will want to allow to do it's thing. Then from there, look at it's output and manually input it into your device to ensure all is good.


    I'm paranoid on anything automated so I "do it twice" like this by letting it do the bulk and then checking it while I implement it.


    Helps remove possible weird shenanigans the converter does

    Mike Pruett Fortinet GURU | Fortinet Training Videos
    Top Kudoed Authors