migrate from Palo Alto firewall to Fortigate

MED-90 · ‎09-16-2024

Hello .I have a project to migrate from Palo Alto firewall to Fortigate. Unfortunately, we don’t have the FortiConverter tool, so I proceeded to migrate the configuration manually. I have a problem with some NAT rules and need your help.

MED-90 · ‎09-16-2024

Your help please, is it a source NAT or a destination NAT?

AlexC-FTNT · ‎09-16-2024

No idea how to convert this, but there are a couple of keywords I guess they hint on the direction:

<destination> DSI_F5 <service>HTTPS >> so this is pushed to a F5 load balancer IP (=looks like DNAT to me)

<to> INTERNET // <source> local IP >> this is the reverse direction (=SNAT). The SNAT is done automatically in FortiGate for the VIP addresses

<bidirectional> -- > yes (confirmation of the above)

The log image part (right side) looks more clear. Gives the destination address (on PA) and the NAT IP of the server (DNAT)

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

MED-90 · ‎09-16-2024

So the configuration on Fortigate should be like this, is that correct?

AlexC-FTNT · ‎09-16-2024

Looks right Mede (not sure about the services) with one mention: proxy mode. And then you probably need another/reverse policy for the outgoing access (if these server/s need internet access - only NAT enabled).

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

MED-90 · ‎09-16-2024

Thank you for your help :)

migrate from Palo Alto firewall to Fortigate

Nominate a Forum Post for Knowledge Article Creation