In my environment i have two appliances Checkpoint 3000 in cluster and Management server as VM, version R80.10. I want to rid of Checkpoint firewall and replace them with forti100E. Does it possible to migrate completely from Checkpoint to Forti100E with forticonverter without issues?
What is the best way to make this migration successful? Does anyone make this migration process? Best Regards.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Arnold77 wrote:Dear brotherHello everybody,
In my environment i have two appliances Checkpoint 3000 in cluster and Management server as VM, version R80.10. I want to rid of Checkpoint firewall and replace them with forti100E. Does it possible to migrate completely from Checkpoint to Forti100E with forticonverter without issues?
What is the best way to make this migration successful? Does anyone make this migration process? Best Regards.
I think that there is no way to get help here for a very specified case.
This is just convert network setting from one device to another with different types of hardware
You can compare the configuration structure of both config files , and find away to convert old settings to new , this can help you save time.
Yes FConverter would help. You still need to review the policy and especially areas that cover nat and logging.
So yes if you do not want to do it manually, use the migration tool and review the number of elements ( groups, hosts|network, policy,etc...) and make adjustments as required.
Ken Felix
PCNSE
NSE
StrongSwan
I'm about to do something similar. If you have completed this already I'd love any information you have about pitfalls or learned lessons you have.
My main thoughts currently are:
[ul]That's all good and dandy. You do know this thread is lightyears old
So are you mainly concern with cpsg gateways at the remote and vpns? If the end-devices are CPSG and your want to migrate off the central HQ 3000 to let's say a FGTXXXXX, you could build a new vpn-community, apply the gateway address of the FGT and then install that policy to redirect that "spoke" to the new HUB.
And then disable the old policy at the CHKP 3000 and adjust for any routing thru the new fortigate. I worked a project that was just like the above with walking over vpn-spokes one at a time and it was doable. Afterward we monitor the rule and encryption/decryption details in the eventlogs to ensure that new tunnel was up or use vpn tunnelutility. After you figure out the plan and steps, you could easily migrate a few per night or during a maintenance window.
Just my 2cts, and god I hate CHKP
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.