Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
eustas1
New Contributor

Migrate to new firewall - best practices?

Hi all, fairly new solo it guy at my company trying to glean wisdom from the hivemind.

We are moving from our current 100D (6.2.12) to a 100F (will be 7.2.3). I am using the FortiConverter service to make a new configuration for it, so hopefully most of my worries there are taken care of, but of course I'll be checking things myself. My question lies in what is probably super basic, but how can I set up the 100F to be in place with it's new configuration while keeping the 100D in place as the actual firewall until I'm ready to switch? We have one WAN connection and I don't feel comfortable touching any of that demarc equipment.

In order to register the 100F I plugged it in, but it was downstream of the 100D so it was given a dhcp address instead of the default address for configuration. I was able to register it but can't access the web interface even when I'm on the same subnet or plugged into the management port.

My initial idea was to take a little unmanaged switch, plug the WAN cord into it, then plug each firewall into that as well so the WAN is going to both firewalls, but that seems much too simple.

Any ideas, implementations or resources you can point me towards would be extremely helpful. I'm trying to digest as much material as possible, but I've got little experience with networks so far (going for my Network+ sometime soon).

https://19216811.cam/ https://1921681001.id/
1 REPLY 1
gfleming
Staff
Staff

You can definitely stand up the 100F downstream from the 100D. Just create a new dedicated L3 port on the 100D for this purpose and connect the 100F's actual WAN link to it (the same port as the 100D uses today for WAN). To mimic a WAN connection from an ISP. Give it a FW policy on the 100D allowing all traffic out the actual WAN link.

 

Now you should have a parallel environment on the 100F. So be careful not to plug any production stuff into it. But using some lab gear or test devices you can connect to various interfaces and test connectivity out the "WAN". Of course I'm suggesting you do all of this after the converted config is loaded on.

Cheers,
Graham
Labels
Top Kudoed Authors