FortiConverter - Admin Guide

Version 5.6.1
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET COOKBOOK
https://cookbook.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://fortiguard.com/

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

May 3, 2019
FortiConverter 5.6.1 Admin Guide
00-400-000000-20181031
 TABLE OF CONTENTS

About FortiConverter 8
Supported versions and conversions 8
General limitations 11
Licensing 12
What's new 14
Installation 15
System requirements 18
Activating the license 19
Enabling remote connections—new application 21
Alcatel-Lucent conversion 22
Alcatel-Lucent differences 22
Conversion support 22
Address and address group configuration 22
Interface configuration 22
Service and Service Group configuration 22
Policy configuration 23
VDOM configuration 24
Example conversion 24
Saving the Alcatel-Lucent source configuration file 25
Alcatel-Lucent conversion wizard 26
Alcatel Start options 26
Alcatel-Lucent Source configuration 28
Device selection 28
Partition & Zone rule selection 28
Alcatel Interface mapping 28
VLAN and Loopback 29
Alcatel Route Information 29
Alcatel-Lucent Conversion result 30
Check Point conversions - new application 31
Check Point differences 31
General 31
Schedule configuration 31
NAT and policy configuration 31
VPN configuration 32
Service objects 32
Saving the Check Point source configuration file 32
Check Point conversion wizard 33
Check Point Start options 34
MDS selection (Provider-1 only) 37
Global policy collection (Provider-1) 37
Check Point Source Configuration (Provider-1) 37
Firewall selection (SmartCenter only) 38
Policy collection 38
Check Point Interface mapping - SmartCenter only 38

FortiConverter Admin Guide Fortinet Technologies Inc.

 4

Check Point Route information - SmartCenter only 39

Check Point Conversion result 39
Check Point NAT merge examples 40
Check Point NAT merge examples with central NAT 45
Cisco conversions—legacy application 47
Cisco differences - legacy application 47
General 47
NAT support 47
Downloading the source configuration files 48
Saving the Cisco source configuration file 48
Cisco conversion wizard 48
Cisco Start options 48
Cisco Start options - More 49
Cisco Source configuration 50
Context selection 50
Cisco Interface mapping 51
VLAN and Loopback 51
Cisco legacy Route information 52
VPN Phase2 52
Cisco Conversion result 52
Cisco conversions—new application 54
Cisco differences - new application 54
General 54
NAT support 54
Saving the Cisco ASA source configuration file 55
Cisco conversion wizard 55
Cisco ASA Start options 55
Context selection 57
Cisco ASA Interface mapping 58
Cisco Routing Information 59
Cisco Conversion result 59
Cisco PIX and ASA NAT merge examples 59
Juniper conversions - new application 72
Juniper ScreenOS or Junos OS differences 72
VLAN logical interfaces 72
Service objects 72
NAT support 73
Saving the Juniper source configuration file 73
Juniper conversion wizard 74
Juniper Start options 74
LSYS (Junos OS) or VSYS (ScreenOS) selection 76
Juniper Interface mapping 76
Juniper Route Information 77
Juniper Conversion result 77
McAfee conversion 79
StoneSoft differences 79
VPNs 79

FortiConverter Admin Guide Fortinet Technologies Inc.

 5

Firewall clusters 79
Saving the McAfee source configuration file 79
McAfee conversion wizard 80
McAfee Start options 80
McAfee Source Configuration 80
VSYS selection 81
McAfee Interface mapping 81
McAfee Route Information 82
McAfee Conversion result 82
Palo Alto Networks conversion - new application 84
Conversion support 84
Saving the PAN source configuration files 84
Palo Alto conversion wizard 87
Palo Alto Start options 88
PAN Source Configuration 89
Palo Alto Interface mapping 89
Palo Alto Route Information 90
Palo Alto Conversion result 90
Snort conversion - new application 91
Snort conversion wizard 91
Basic outline of a snort rule 91
Snort Start options 95
Source Preview 95
Snort Conversion result 96
SonicWall conversion - new application 97
SonicWall differences 97
Special characters 97
Address book configuration 97
97
Service book configuration 98
Schedule configuration 98
98
Local User and User Group 98
Route configuration 98
Saving the SonicWall source configuration file 98
SonicWall conversion wizard 99
SonicWall Start options 99
SonicWall Source Configuration 100
SonicWall Interface mapping 101
SonicWall Route Information 101
SonicWall Conversion result 102
Sophos conversion - new application 103
Sophos Networks differences 103
Conversion support 103
Saving the Sophos source configuration files 103
Sophos conversion wizard 103

FortiConverter Admin Guide Fortinet Technologies Inc.

 6

Sophos Start options 104

Source preview 104
Sophos Interface mapping 105
Sophos Route Information 105
Sophos conversion result 106
Tipping Point conversion 107
Tipping Point differences 107
Interface and schedule conversion 107
Action Set 107
Ignored fields 107
Saving the Tipping Point source configuration file 107
Tipping Point conversion wizard 108
Tipping Point Start options 108
Tipping Point Source Configuration 109
VSYS selection 109
Tipping Point Interface mapping 110
Tipping Point Route Information 110
Tipping Point Conversion result 111
Vyatta Networks conversion - new application 112
Vyatta Networks (VyOS) differences 112
Conversion support 112
Configuration notes 112
Saving the Vyatta source configuration files 112
Vyatta conversion wizard 113
Vyatta Start options 113
Source preview 114
Vyatta interface mapping 114
Vyatta route information 115
Vyatta conversion result 115
FortiGate configuration migration - new application 116
Configuration notes 116
Fortinet conversion wizard 116
Fortinet Start options 116
Config information 117
Fortinet interface mapping 117
Fortinet conversion result 118
Tuning the output 119
Legacy application tuning 119
Toolbar options 119
Policy Tuning tab 120
Conversion log tab 123
New application tuning 124
Manage your objects 124
Copy an object to another VDOM 126
Copy an object's CLI configuration 127
Output an unreferenced object 127

FortiConverter Admin Guide Fortinet Technologies Inc.

 7

Rename an object 128

REST API Import 130
Add device information 130
Start Installation 131
View Import Result 132
Import Individual objects 133
Viewing the results of your automatic conversion 134
Legacy application 134
New application 135
Error messages 136
Undefined objects 136
Interface 136
Zone 136
Service 136
Service group 137
User 137
VIP 137
VPN phase1 137
VPN phase2 138
Policy 138
Snmp sysinfo 138
Other warnings 138
Importing your new configuration into FortiGate 140
Importing your new configuration into FortiManager 143
Working with object output in indexed files 149
Troubleshooting 151
Licensing Issues 151
Accessing conversion logs 151
Log location 151
Example logs 152
Troubleshooting application crashes 153
Reviewing errors in a restorable FortiGate configuration 154
Appendix 155
Adjusting table sizes 155
156
Table size settings file 156
Viewing maximum table sizes for your target device 156
NAT merge options 156
New application features 157

FortiConverter Admin Guide Fortinet Technologies Inc.

About FortiConverter 8

About FortiConverter

This content explains how to install and use FortiConverter.

FortiConverter helps you migrate your network to Fortinet network security solutions, significantly reducing
workload and minimizing errors. FortiConverter translates configuration files from other vendors’ firewall
products into a valid FortiGate or FortiManager configuration file. Because the output uses command line
syntax, it can either be uploaded as a configuration file or piped to the CLI.
For additional assistance, contact [email protected].

Supported versions and conversions

FortiConverter can translate configurations from the following vendors and models.
l In some cases, FortiConverter can't translate some parts of the configuration because of dependencies or
unsupported syntax and you must manually convert them.
l If the number of objects exceeds the maximum valid length for FortiGate or FortiManager, FortiConverter
trims them.
l FortiConverter comes with two different applications, each capable of a different set of conversions. The
Converter Application column shows which FortiConverter application to use for each conversion.
Unless noted as an exception below, conversions only support IPv4 unicast policy.

Vendor Models Converter Versions Convertible objects

Application

Alcatel- Brick Legacy ALSMS v9.x Addresses & Address Books

Lucent Application Interfaces(physical, logical, loopback,
PPPoE)
Partitions
Services & Service Books
Static routes
Zone rule set

Check SmartCenter New Application NG FP1 (4.0) to Addresses & Address Groups
Point NGX R80 Interfaces
Local Users & Groups
NAT Negate Cell
Policies (rulebases.fws)
Provider-1 New Application NGX R65 to RADIUS, TACACS+, & LDAP
R80 Rules
Schedules Services & Service Groups

Static routes VPN (IPSec)

FortiConverter Admin Guide Fortinet Technologies Inc.

About FortiConverter 9

Cisco PIX New Application 5.x/6.x/7.x/8.x ACLs

ASA New Application 7.x/8.x/9.x Addresses & Address Groups

DHCP Servers
FWSM New Application 3.x/4.x
DNS Servers Interfaces
IOS Legacy 10.x to 12.x IP Pools Local Users & Groups
Application 15.x NAT
IOS XR Legacy 4.x, 5.x, 6.x RADIUS, TACACS+,
Addresses & Address & LDAP &
Groups
Application Services
FQDNs & Service Groups
Static Routes
Interfaces
Time
IP Ranges
Pools
Nexus Legacy 5.2, 6.x, 7.x Policies
Application
Services & Service Groups
Static Routes

FortiGate FortiOS New Application FOS v5.2 and FortiOS CLI

above FortiGate configurations can be
converted based on the new required
FOS versions, however note that:
l Older features might be
deprecated and may not be fully
converted over.
l After loading the converted
configuration, any CLI
commands that have not been
successfully restored can be
reviewed using the command
"diag debug config-
error-log read".
Juniper SSG/ISG New Application ScreenOS 4.x, Addresses & Address Groups &
5.x, 6.x FQDNs
DHCP Servers & Clients & Relays
Interfaces
Static Routes Services & Service
Groups
Policies
VIPs/MIPs
NAT
IP Pools
VPN
Local Users & Groups
RADIUS & LDAP
Zones

SRX New Application Junos OS 10.x Addresses & Address Groups &
to 18.x FQDNs

FortiConverter Admin Guide Fortinet Technologies Inc.

About FortiConverter 10

DHCP Servers & Client & Relay

Interfaces
IP Pools Local Users & Groups
NAT
Policies
RADIUS & LDAP
Services & Service Groups
Static Routes
VIPs/MIPs
VPN
Zones

MX New Application Juno OS 10.x to Addresses & Address Groups &

12.x FQDNs
Interfaces
IP Pools
Policies
Services & Service Groups
Static Routes

McAfee Sidewinder Legacy 7.x, 8.x Addresses & Address Groups &
Application FQDNs
Interfaces
IP Pools
Policies
Services & Service Groups
Static Routes

Stonesoft Legacy 5.7 Addresses & Address Groups

Application Interfaces
Policies
Services & Service Groups
Static Routes

Palo Alto PA New Application PAN-OS 1.x to Addresses & Address Groups &
Networks 8.x FQDNs
Interfaces
Local Users & Groups
NAT
Policies
Schedules
Static Routes
Services & Service Groups
Zones

FortiConverter Admin Guide Fortinet Technologies Inc.

About FortiConverter 11

SonicWall TZ Series New Application SonicOS 4.x, Addresses & Address Groups &
NSA Series 5.x, 6.x (Wildcard) FQDNs
DHCP Servers & Clients & Relays
Interfaces
Local Users & Groups
NAT
Policies
Schedules
Services & Service Groups
Groups
Static Routes
Zones
VPN (IPSEC site to site)

Sophos XG Series New Application SFOS 17.0 Interface

Zone
Address
Address group
Cyberoam Cyberoam OS Service
10.6 Service group
User
User group
Policy

Tipping IPS Legacy 4.5 Addresses & Address Groups

Point Application Policies
Services & Service Groups

Vytta VyOS New Application 5.2 to 6.7 Interface

Zone
Address group
Service group
Policy
Route

Exceptions

l Check Point to FGT conversion can support IPv4 multicast policy.

l Check Point, Cisco, and Juniper (Junos only) to FGT conversion can support IPv6 unicast policy.

General limitations

FortiConverter is a migration tool, not a migration service. It’s designed to be used as part of a properly planned
migration process.

FortiConverter Admin Guide Fortinet Technologies Inc.

About FortiConverter 12

Supported FortiOS conversions

FortiConverter supports conversions from other vendors to FortiOS 5.6 and 6.0 only.

Creating final configurations

While FortiConverter significantly shortens the conversion process, a final, useable configuration requires you
to review and audit the FortiConverter output conversion. The FortiConverter tuning capability can help with the
review and audit process.
While you can use the FortiConverter tuning capability to review and fix errors in the conversion, it isn't
designed to perform significant reconfiguration.

Incomplete routing information

In some cases, not all routing information that FortiConverter requires to make a decision about a policy
interface is available. In these cases, it uses the any interface.

Double NAT

For Check Point conversions, the FortiConverter conversion engine uses a manual rule to convert
configurations that apply source NAT and destination NAT to the same policy (called double NAT).
For all other conversions, FortiConverter NAT merge doesn't support double NAT. Instead, FortiConverter
applies source NAT in the conversion and you complete the configuration by using the tuning page to manually
apply destination NAT.

IPsec support

FortiConverter converts IPsec configurations to route-based or policy-based IPsec depending on which one the
source configuration is closest to. Users can enable Route-based IPSec for Cisco ASA, PIX,FWSM, Juniper and
Check Point conversions.

Licensing

The trial version of FortiConverter, allows you to complete a conversion and view the results in the Tuning
page. CLI output is disabled, but is available in the fully-licensed version.

When you purchase a license, FortiConverter is unlocked and full functionality is enabled for all supported
vendors. Your paid license entitles you to any new versions of FortiConverter that Fortinet releases until the
license expires, as well as direct engineering support.

FortiConverter 5.6.1 features a new browser/server based application in addition to the legacy application. Both
the new application and legacy application use the same license key and should be installed on the same host.

FortiConverter Admin Guide Fortinet Technologies Inc.

About FortiConverter 13

FortiConverter requires an Internet connection to verify its license. You can use the software for up to 30 days
without validating the license online, and you can configure FortiConverter to contact the licensing server via a
web proxy.

For more information, see Activating the license on page 19.

FortiConverter Admin Guide Fortinet Technologies Inc.

What's new 14

What's new

The following list contains new features and enhancements in FortiConverter 5.6.1.

FortiConverter 5.6.1

l Migrated SonicWALL and Palo Alto conversions to the new tool.

l Support directly push down converted configurations via FortiGate’s Restful API.
(Feature only available for 3rd party vendors conversion)

FortiConverter Admin Guide Fortinet Technologies Inc.

Installation 15

Installation

Download the FortiConverter installer from the Fortinet Technical Support website:
https://support.fortinet.com

To install the legacy FortiConverter application

1. Double-click the FortiConverter installer (.exe).

If Microsoft .NET Framework 4.0 or above isn't installed, you are prompted to install it.
l To proceed with the installation, click Yes and then download the software framework from
Microsoft’s web site.
2. To continue the installation, read the license agreement, select I accept the terms of the License
Agreement, and then click Next.
l To install the program in a location other than the default, click Browse and navigate to the directory
you want.
3. Click Next.
4. Click Install.
5. Click Finish to complete and exit the FortiConverter installer.

To install the new FortiConverter application

1. Double-click the FortiConverter installer (.py.exe).

2. Click Next.
3. Read the license agreement, select I accept the terms of the License Agreement, then click Next.To
install the program in a location other than the default, click Browse and navigate to the directory you
want.
4. Click Install.
5. Click Finish to complete and exit the FortiConverter installer.

To completely remove the new FortiConverter application and data

Uninstalling the new FortiConverter application from Windows only removes the application itself, it does not
remove the conversion data or database. If you re-install the application later, the data can still be accessed.

To remove all conversion data

1. Stop the FortiConverter application.

2. Restart your local PostgreSQL database service.
a. Open your Services desktop application.
b. Right-click the service name postgres-django, and select Restart.

FortiConverter Admin Guide Fortinet Technologies Inc.

Installation 16

3. Install the latest version of pgAdmin 4, which can be downloaded at https://www.pgadmin.org/.

4. Using pgAdmin 4, create a server record.
l Go to Object > Create > Server.
5. Set both the username and password to "postgres".

FortiConverter Admin Guide Fortinet Technologies Inc.

Installation 17

6. Open the newly created service record, right-click the database "djangodb", and select Delete/Drop.
7. Click OK.
8. If you receive the error message: "there is 1 other session xxx", terminate all other existing external
connections, except for the connection from pgAdmin 4.
a. Make sure FortiConverter has been stopped.
b. Click the "djangodb" database.
c. Go to Tools > Query Tool, then enter the following PSQL script.
SELECT
pg_terminate_backend(pid)
FROM
pg_stat_activity
WHERE--
don't kill my own connection!
pid <> pg_backend_pid()
-- don't kill the connections to other databases
AND datname = 'djangodb';
d. Click Execute.

FortiConverter Admin Guide Fortinet Technologies Inc.

Installation 18

9. Restart the pgAdmin 4 tool, and drop "djangodb" again, if available.

10. Re-create a database with the name "djangodb" by going to Object > Create > Database .
11. Click Save.

12. Delete all existing conversion folders to avoid a name conflict.Conversions are, by default, stored at
C:\Users\<UserName>\AppData\Roaming\Fortinet\FortiConverte
r\conversions.
13. Uninstall the program.
14. Delete all remaining files and folders in the FortiConverter folder, located at C:\Program
Files\Fortinet\FortiConverter.

System requirements

FortiConverter requires one of the following operating systems:

FortiConverter Admin Guide Fortinet Technologies Inc.

Installation 19

l Microsoft Windows 10 (64-bit)

l Microsoft Windows 8 (64-bit)
l Microsoft Windows 7 (64-bit)
l Microsoft Windows Server 2016 (64-bit)
l Microsoft Windows Server 2012 (64-bit)

Also, FortiConverter requires .NET Framework 4.0 or above. If it isn't already installed on your computer, the
FortiConverter installer prompts you to download and install it.
A web browser is required.
An Internet connection is required to periodically verify the software license.
For any questions not covered in this content, contact FortiConverter customer support at fconvert_
[email protected].

Activating the license

By default, FortiConverter is installed with a limited trial license. If you have purchased a full license, download
it to unlock the complete feature set.
To purchase a license, use your usual Fortinet sales channel. For other licensing issues, see Licensing for more
information.

If you have already activated a license for the legacy FortiConverter application on
your device, the new application automatically uses that license when it’s installed.

To activate the license

Legacy application

1. Double-click the FortiConverter shortcut.

2. Click About FortiConverter.
3. On the License tab, copy the Hardware ID value to the clipboard.
4. Ensure you have purchased a license, then sign in to the Fortinet Technical Support web site:
https://support.fortinet.com/
Registration uses a simple, four-step wizard that is commonly used for many Fortinet products.
5. On the first page of the wizard, enter the registration code you received when you purchased your
FortiConverter product.

FortiConverter Admin Guide Fortinet Technologies Inc.

Installation 20

6. Enter the Hardware ID you copied earlier, an optional description, and choose your Fortinet partner from
the list.

7. After you agree to the license terms, the final page of the wizard allows you to download the license file
(.lic file).

8. In FortiConverter, from the License tab, click Select , then navigate and select the .lic file.
9. Click Activate.
FortiConverter validates the license file and changes your Activation Status from Trial to Activate. Your
license is valid for all FortiConverter software updates released until the date specified by License Expiry
Date.After the license is activated, the expiry information is under the License tab.

FortiConverter Admin Guide Fortinet Technologies Inc.

Installation 21

New application

1. Double-click the FortiConverter shortcut.

2. Click License.
3. Click the icon next to License File.
4. Select the license file, then click Open.

License validation via web proxy (legacy application only)

You can configure FortiConverter to use an explicit (non-transparent) web proxy server to connect to Fortinet
online licensing servers.
FortiConverter connects to the proxy using the HTTP CONNECT method, as described in RFC 2616.
1. Click About FortiConverter.
2. On the Proxy tab, select Enable Proxy and then specify the IP address and the port of the web proxy to
use.
3. Click Apply.

Enabling remote connections—new application

The new FortiConverter is designed as a web application. The application (FortiConverter.py) should be run
with Administrator privileges because it reads and writes data from/to high privilege directories. For security
concerns, the default configuration only allows connections from users on the localhost.

To enable remote access to the web application

1. Run notepad as an administrator and open the start.bat file located in the directory C:\Program
Files\Fortinet\FortiConverter\.
2. Append string 0.0.0.0:<port_num> after the keyword runserver. The port number used by default
is 8000.
For example:
call "%install_dir%\Python36\python.exe" manage.py runserver 0.0.0.0:8000
--insecure
3. Run notepad.exe as an administrator and open C:\Program
Files\Fortinet\FortiConverter\converter\backend\mysite\mysite\settings.py
4. Add the wildcard IP address '*' (match ANY) into allowed ALLOWED_HOSTS.
For example:
ALLOWED_HOSTS = [
'localhost','127.0.0.1','*',
]

FortiConverter Admin Guide Fortinet Technologies Inc.

Alcatel-Lucent conversion 22

Alcatel-Lucent conversion

Alcatel-Lucent differences

Conversion support

FortiConverter supports the conversion of the following Alcatel-Lucent Brick features:

l Interfaces
l Host Groups
l Service Groups
l Zone Brick Rulesets
Fortinet plans to support the following Lucent features in a future FortiConverter release:
l NAT
l Schedule
l VPN
l Hosts Behind Zone

Address and address group configuration

l Lucent host addresses are mapped to FortiGate addresses.

l Lucent host groups are mapped to FortiGate address groups.
l Virtual Brick Addresses (VBA) aren't supported.

Interface configuration

l FortiConverter assigns default VLAN configuration directly to physical interfaces.

l FortiConverter considers all VLANs named “*” or “Port Default” to be the default VLAN configuration.
l Domain Addresses aren't supported.

Service and Service Group configuration

l Lucent Service Groups are mapped to FortiGate Service Groups.

l Lucent service “*” maps to FortiGate service “any”.

FortiConverter Admin Guide Fortinet Technologies Inc.

Alcatel-Lucent conversion 23

Policy configuration

Lucent Brick Zone Rulesets operate at the zone level, which has no direct equivalent in FortiGate. Zone
rulesets need to be translated into equivalent FortiGate policies.

FortiConverter translates Lucent Brick rules by separating traffic into two categories: inter-partition and intra-
partition.
l Inter-partition traffic behaves like inter-VDOM traffic, and is simple to convert to FortiGate policies.
l Intra-partition traffic is more complicated to convert because multiple zone rules can be applied.
FortiConverter handles the inter-partition traffic by creating a general policy for each rule.
FortiConverter handles the intra-partition traffic by looking for all matches between two zone rulesets.
FortiConverter looks at 3 fields: source, destination, and service. All 3 fields must overlap for the rules to
match. FortiConverter creates a policy for each match using the intersection of each field.

The action of the rules determines the action of the converted policy, as shown in the following table:

Rule 1 Rule 2 Policy

Pass Pass Accept

Pass Drop Deny

Drop Pass Deny

Drop Drop Deny

FortiConverter Admin Guide Fortinet Technologies Inc.

Alcatel-Lucent conversion 24

Inter-partition Deny policies have higher priority than intra-partition policies, while inter-partition Accept policies
have lower priority than intra-partition policies.
Lucent default ruleset “firewall” is currently unsupported.

VDOM configuration

l Lucent partitions map to FortiGate VDOMs.

l VDOM names are limited to 11 characters. FortiConverter truncates longer names to 11 characters.
l Lucent partition “*Default” maps to the FortiGate root VDOM.

Example conversion

The following block diagram and tables illustrates a Lucent configuration with 2 partitions and 3 zones.

Zone eth0 Ruleset

Rule Num Direction Source Destination Service Action

1000 Out 192.168.1.15 172.30.10.1/24 * Drop

1001 Both 192.168.1.0/24 172.30.10.1/24 * Pass

Zone eth1 Ruleset

Rule Num Direction Source Destination Service Action

1000 In * 172.30.10.5 - 172.30.10.20 TCP Pass

1001 Both 192.168.1.132 172.30.10.9 * Pass

FortiConverter Admin Guide Fortinet Technologies Inc.

Alcatel-Lucent conversion 25

Zone eth2 Ruleset

Rule Num Direction Source Destination Service Action

1000 Both * 10.10.15.0/24 HTTP Pass

This Lucent configuration creates the following FortiGate configuration. Inter-partition rules are in bold.

VDOM lab-hosts Policies

Policy Src Dst Source Destination Service Action
Num Interface Interface

10000 eth0 any 192.168.1.15 172.30.10.1/24 * Deny

10001 eth0 eth1 192.168.1.0/24 172.30.10.5 - TCP Accept

172.30.10.20

10002 eth0 eth1 192.168.1.132 172.30.10.9 * Accept

10003 eth0 any 192.168.1.0/24 172.30.10.1/24 * Accept

10004 any eth0 192.168.1.0/24 172.30.10.1/24 * Accept

10005 eth1 eth0 192.168.1.132 172.30.10.9 * Accept

10006 eth1 any 192.168.1.132 172.30.10.9 * Accept

10007 any eth1 192.168.1.132 172.30.10.9 * Accept

VDOM office-hosts Policies

Policy Src Dst Source Destination Service Action

Num Interface Interface

10000 any eth2 any 10.10.15.0/24 HTTP Accept

10001 eth2 any 10.10.15.0/24 any TCP Accept

Saving the Alcatel-Lucent source configuration file

Before starting the conversion wizard, save a copy of your Alcatel-Lucent configuration file to the computer
where FortiConverter is installed.
FortiConverter provides a Perl script for downloading Alcatel-Lucent Brick configurations.

FortiConverter Admin Guide Fortinet Technologies Inc.

Alcatel-Lucent conversion 26

To access the Alcatel-Lucent configuration download script

1. On the FortiConverter home page, click the Alcatel-Lucent button.

2. On the Start options page, click Next.
If you are using the wizard to retrieve the download script only, use the default settings for this page. You
can restart the wizard later after you have the file and are ready to perform the conversion with the
appropriate settings.
3. On the Source Configuration Selection page, click How to get configuration.

The Windows folder that contains the Perl script and the documentation for using it are displayed. Follow the
instructions to run the Perl script and output the source configuration as a set of directories.

Alcatel-Lucent conversion wizard

The administrator password is not set on the new configuration.

For third-party conversions, the trusted host settings are converted. Check the trusted
host settings to ensure they allow management access from the relevant network
interfaces.

Alcatel Start options

This table lists the start settings.

FortiConverter Admin Guide Fortinet Technologies Inc.

Alcatel-Lucent conversion 27

Setting Description

Model LucentBrick is the only supported model.

Output Format FortiGate is the only supported output format.

Output OS Version FortiOS 5.6 and 6.0 have different configuration

syntaxes. Select the version that corresponds to
the FortiOS version on the target.

Discard unreferenced firewall objects Specifies whether addresses, schedules, and

services that aren't referenced by a policy are
saved and added to the output.
This option can be useful if your target device has
table size limitations.
You can view the unreferenced objects that
FortiConverter removed on the Conversion Result
page.

Enable host behind zone attribute Specifies whether FortiConverter restricts the
destination or source IP addresses in the firewall
policy it generates to ones specified by the "host
behind zone" settings in the source configuration.
When this option is disabled, FortiConverter
ignores the "host behind zone" settings and it uses
the destination or source IP address specified by
the source rule in the output policy.

Convert Administrative Zone zone ruleset Specifies whether FortiConverter includes the
default “administrativezone” ruleset in the output
configuration.
Because the “administrativezone” ruleset is
designed for device management, in most cases, it
isn't required in the output configuration.

Include input configuration lines for each output Specifies whether FortiConverter includes the input
policy configuration lines used for each FortiGate policyin
the FortiGate configuration as a policy comment.

Enable intra-partition zone rule set merge Specifies whether FortiConverter creates FortiGate
policies for traffic within a partition that the source
configuration applies multiple zone rulesets to.
For more information on how FortiConverter
converts intra-partition zone rulesets to a FortiGate
policy, see Alcatel-Lucent conversion on page 22.

Adjust table sizesCP: check that option name You can customize the maximum table sizes that
changed FortiConverter uses when Adjust table sizes is
selected. For more information, see Adjusting
table sizes on page 155.

Output Directory Select the folder where the output configuration is

saved.

FortiConverter Admin Guide Fortinet Technologies Inc.

Alcatel-Lucent conversion 28

Alcatel-Lucent Source configuration

Ensure the configuration is in a text format. FortiConverter can't use binary files. See Saving the Alcatel-Lucent
source configuration file on page 25.

Setting Description

Source Configuration Folder Select the input folder.

Device selection

Setting Description

(firewall name) Select the firewalls to convert.

Partition & Zone rule selection

Setting Description
Select all partitions Select to select all partitions and clear it to de-select all partitions.

Partition selection Use the check box to select a partition to include in the conversion.
Click the pair of arrows on the right to open or close the detailed
partition view, which shows the individual zone rules within a
partition.

Zone rule selection Use the check box to select a zone rule to include in the conversion.

Alcatel Interface mapping

You can manually map the interface.

To select the appropriate FortiGate interface, click the value in the FortiGate Interface column, and then select
a value or enter a custom interface name.
To edit other values in the Interface Mapping dialog box, including changing the interface from physical to
aggregate or unspecified, double-click a column other than FortiGate Interface.
The Interface Mapping dialog box allows you to select the following interface types:
l aggregate – Select up to four aggregate interface members. If you need to add additional members, edit
the set members interface setting in the output configuration or use the FortiOS web UI to add
interfaces after you import the configuration.
l unspecified – FortiConverter uses the interface name in the conversion, but ignores the type and other
attributes, which provides a name-to-name mapping without interface configuration.

FortiConverter Admin Guide Fortinet Technologies Inc.

Alcatel-Lucent conversion 29

l For example, you can create resources such as VLANs, LAGs, and inter-VDOM links on the target
FortiGate device before you import the conversion, and then reference those interfaces in the physical
interface mapping.
You can also use the Tuning page to create mappings, such as physical to VLAN, after the conversion is
complete.
To delete an interface, select the entry and click Delete. This is useful if your target FortiGate has fewer
interfaces than the source configuration.

Setting Description

FortiGate Interface Click to assign a FortiGate port for each interface.

(table column) Enter a port name or custom text.

Import from file Click to load a set of interface mappings from a text file.

Export current mappings Saves the current set of interface mappings to a text file.

Add Click to add a mapping item.

Edit Click to edit additional properties for the selected mapping item.

Delete Click to delete the selected mapping item.

VLAN and Loopback

This page displays the logical interfaces that FortiConverter detects in the source configuration and the
changes it makes to the associated physical interface and its naming.
You can't use this page to modify the logical interface settings.
If required, you can use the Tuning page to modify logical interfaces and zones. See Tuning the output on page
119

Alcatel Route Information

FortiConverter creates static routes in the output using the static routes it detects in the source configuration
and any routing information you provide.
Double-click an item to edit it.

Setting Description

Add Click to add a route.

Edit Click to edit the selected route.

Delete Click to delete the selected route.

FortiConverter Admin Guide Fortinet Technologies Inc.

Alcatel-Lucent conversion 30

Alcatel-Lucent Conversion result

Tab Description

Conversion Summary Provides statistics about the conversion.

Policies Detected & Policies Created Allows you to view and compare the number of objects
that FortiConverter detected in the source configuration
and the ones it created for the output configuration.

Messages & Warnings Allows you to review any objects that FortiConverter did
not include in the conversion.
If you enabled Discard unreferenced firewall
objects on the Start Page, this tab displays the objects
that FortiConverter removed.

Some columns can be selected, sorted, and filtered.

Setting Description
Export Generates an HTML page of the conversion result.

Go to Output Opens the output folder .

Go to Tuning Opens the tuning page. See Tuning the output on page 119.

Go to Report Opens a detailed conversion report that includes a list of converted

objects and policies and displays lines from the source configuration
that FortiConverter did not convert.

For more information, see Viewing the results of your automatic conversion on page 134.

FortiConverter includes error and warning messages into the conversion when an error
occurs.
Review the config-all.txt file after each conversion for errors. These errors and
warning messages might cause the import process to fail, if not corrected. See for
more details.

FortiConverter Admin Guide Fortinet Technologies Inc.

Check Point conversions - new application 31

Check Point conversions - new application

The conversions in this section use the new FortiConverter application.

For more information on new features available with the new application, see New application features on page
157

Check Point differences

General

l The FortiGate set allowaccess command for interfaces doesn’t exist on Check Point. Because
FortiGate requires this setting, FortiConverter enables all services for interfaces by default.
l The interface Lead to Internet is a default static route on FortiGate.
l FortiConverter supports Traditional Mode and Simplified Mode IPSec.

Schedule configuration

FortiConverter converts "Day in month" time schedules to FortiGate one-time schedules. It converts "Day in
week" and "None" schedules to recurring schedules.
You assign a year range for the "Day in month" schedule. If the specified day doesn't exist for a certain month,
FortiConverter doesn't generate the one-time schedule for that month.

NAT and policy configuration

FortiConverter supports the conversion of the following NAT types:

l Hide NAT
l Static NAT
l Manual NAT
FortiConverter doesn't convert NAT global properties.

FortiConverter Admin Guide Fortinet Technologies Inc.

Check Point conversions - new application 32

VPN configuration

Check Point doesn't configure VPN within a firewall rule. When FortiConverter converts the configuration to
FortiGate, it generates several VPN policies from non-"Lead to Internet" interfaces to the "Lead to Internet"
(default route) interface.

After FortiConverter converts the VPN configuration, the VPN policy destination interface refers to the "Lead to
Internet" interface.If you changed the default route egress interface, you may need to update the VPN/Policy
configuration manually.

FortiConverter can support VPN IPSec policies configured in both Traditional Mode and Simplified Mode.
However, FortiConverter can only convert one mode at a time. If encrypted rules are detected, FortiConverter
defaults to Traditional Mode conversion.

To convert Traditional Mode policies to Simplified Mode policies, use the Check Point Security Policy Converter
Wizard. This can be found by clicking Policy > Convert to > Simplified VPN from the Check Point
SmartDashboard.

FortiConverter can detect and convert meshed and star VPN topologies in Simplified form.

Service objects

Unlike FortiGate service objects, Check Point service objects have a protocol type attribute. FortiGate uses a
session helper object to provide the same functionality as the service objects with a protocol type attribute.

Saving the Check Point source configuration file

Before starting the conversion wizard, save a copy of your Check Point configuration file to the computer where
FortiConverter is installed.

To acquire the configuration, download the following files. In most cases, you download the object and policy
definitions from the management system:
l Object definitions—‘objects_5_0.C’ (Check Point NG/NGX) or 'objects.C' (Check Point 4.x) contain the
firewall’s object definitions. To convert from Provider-1, ‘mcss.C’ contains the MDS hierarchy files.
l Policy and rule definitions—‘*.w’ or ‘rulebases_5_0.fws’. The file name is &lt;rule&gt;.W (default
Standard.W). or rulebases_5_0.fws. They are located in the directory "[SmartCenter] : $FWDIR/conf".
l Route information (optional)—Helps FortiConverter to correctly interpret the network topology being
converted. To get this data, enter the route print command on the firewall node, and then copy and paste

FortiConverter Admin Guide Fortinet Technologies Inc.

Check Point conversions - new application 33

the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a
host route, a network route, and so on. The output varies by the platform.
l User and user groups file (optional)—fwauth.NDBx
Ensure the configuration is in a text format (for example, in plain text or XML). FortiConverter can't use binary
files.

File File name Path

Object definitions objects_5_0.C (Checkpoint $FWDIR/conf

NG/NGX)
objects.C (Checkpoint 4.x_)

mcss.C (Provider-1) $MDSDIR/conf/mdsdb

Policy and Rule rulebase_5_0.fws $FWDIR/conf

definitions [package name].W

Route information NA Save output of route print command from

firewall

User and User Group fwauth.NDBx $FWDIR/conf/

file —or—
$FWDIR/database/

Check Point conversion wizard

The pages that the Check Point conversion wizard shows depend on whether your source configuration is
SmartCenter or Provider-1.

Because Provider-1 uses global and device-level virtual domains that are similar to FortiManager ADOMs, you
convert Provider-1 configurations to policy packages and objects for your source firewalls in the FortiManager
Policy & Objects database. You can only select FortiManager as the output format on the Start options page.

The administrator password is not set on the new configuration.

For third-party conversions, the trusted host settings are converted. Check the trusted
host settings to ensure they allow management access from the relevant network
interfaces.

To start a new conversion

1. Start FortiConverter.
2. When start-up is complete, a browser window automatically opens to http://127.0.0.1:8000.

3. Click New Conversion, located at the top right corner.

4. Enter a name for the conversion configuration.

FortiConverter Admin Guide Fortinet Technologies Inc.

Check Point conversions - new application 34

5. For Vendor, choose Check Point from the drop-down list.

6. Choose a Model, if applicable.
7. Click OK.
The configuration page opens to the Start page, and you can input your settings.

Check Point Start options

This table lists the start settings.

Setting Description

Profile

Description Enter a description of the configuration.

Output Options

Output Format Select the appropriate output for your target

Fortinet device.

FOS Version FortiOS 5.6 and 6.0 have different

configuration syntaxes. Select the version that
corresponds to the FortiOS version on the
target.

SmartCenter Input

Object Definition File Select the object definition file. This file should
(objects_5_0.C) include the definition of firewalls, interfaces
and firewall objects.

Policy Information File Select the policy information file. This file
(Standard.W or rulebases_5_0.fws) should include the information of policies and
manual NAT rules in each policy package.

[Optional] User & User Group File(fwauth.NDB) Select the user and user group file.

Provider-1 Input

MDS Definition File (mdss.c) Select the MDS definition file. This file should
include the MDS hierarchy.

MDS Object File (objects_5_0.c) Select the MDS object definition file.

Global Policy Object File (objects_5_0.c) Select the global object definition file. This file
should include the definition of global objects.

Global Policy Rulebase File (rulebases_5_0.fws) Select the global policy information file. This
file should include the information of policies
and manual NAT rules in each global policy
package.

Global Policy Assignment(customer.C) Select the global policy assignment file.

Conversion Options

FortiConverter Admin Guide Fortinet Technologies Inc.

Check Point conversions - new application 35

Discard unreferenced firewall objects This option can be useful if your target device
has table size limitations.
You can view the unreferenced objects that
FortiConverter removed on the Conversion
Result page.

Automatically generate policy interfaces Specifies whether FortiConverter generates

policy interfaces using a Check Point route file.
(For example, a file you obtained using the
netstat -nr command.) You select the route file
on the Policy package page. Check Point
policies define rules for network-to-network
communication. When you migrate a Check
Point configuration to FortiGate, which uses
policies that define rules for interface-to-
interface communication, you can use the
Check Point router information to determine
which interface a policy uses. If you disable
this option, or router information isn’t
available, FortiConverter uses the "any"
interface. This option is disabled in Provider-1
conversion, because interfaces and routes
aren't converted in Provider-1 conversion.

Adjust Service Table Capacity Size You can customize the maximum table sizes
that FortiConverter uses when Adjust table
sizes is selected. For more information, see
Adjusting table sizes on page 155.

Route-based IPSec Specifies whether Route-based IPSec is used

for this conversion.

Number of year-long schedules from day in month Specifies how many years of one-time
schedules schedules to generate. The wizard converts
Check Point "day in month" schedules into
equivalent one-time FortiGate schedules.

Comment Options

Interface Comment Specifies whether FortiConverter copies the

interface comment from the source
configuration to the mapped FortiGate
interface.

Address Comment Specifies whether FortiConverter copies the

address comment from source configuration to
the converted FortiGate address.

Service Comment Specifies whether FortiConverter copies the

service comment from the source
configuration to converted FortiGate service.

FortiConverter Admin Guide Fortinet Technologies Inc.

Check Point conversions - new application 36

Policy comment - Add policy package name and rule Include policy package name, policy number
number and NAT rule number in the comment of
output policy.

Policy comment - Preserve the original comment Include the original comment in source file in
the comment of the output policy.

NAT Merge Options

Ignore firewall policies with all or any addresses when Specifies whether FortiConverter ignores
processing NAT rules firewall policies with an "all" or "any" address
when it merges a NAT rule and a firewall policy
to create a FortiGate NAT policy.
FortiConverter creates new policies in the
output configuration based on where NAT
rules to firewall policies intersect. Because
firewall policies that use "all" or "any" as the
address create many intersections, Fortinet
recommends that you ignore them.

Enable Central NAT merge Specifies whether FortiConverter converts

NATs to FortiGate central NATs instead of
policy-based NATs.

Enable identity match of NAT policy Specifies whether FortiConverter converts or

ignores any identity NAT rules in the source
configuration. The "range" and "network"
address objects in a Check point configuration
can include hide NAT and static NAT. Check
Point performs NAT only when a host in the IP
range of the address object communicates
with a host outside that range. To disable NAT
for traffic with both source and destination
inside the address range, Check Point
generates an automatic rule called an "identity
NAT rule". By default, FortiConverter excludes
this type of rule from the conversion because it
performs no NAT after it is converted and
generates redundant policies. You can enable
this option to generate policies based on the
identity NAT rules.

NAT Merge Depth

Hide NAT Specifies which types of NAT FortiConverter

Static NAT merges with the output firewall policies, or
Rule NAT whether FortiConverter performs NAT merge
based on object names or values.
l Off – FortiConverter converts firewall
policies only and doesn't perform NAT
merge for this type of NAT. This is useful
for performing a quick, initial conversion

FortiConverter Admin Guide Fortinet Technologies Inc.

Check Point conversions - new application 37

to discover any conversion issues.

l Object Names – FortiConverter performs
NAT merge based on matching address
names in firewall policies and NAT rules.
l Object Values – FortiConverter performs
NAT merge based on matching address
values in firewall policies and NAT rules. It
generates the most accurate matching of
NAT rules and policies, but in most cases,
it also generates more NAT policies.
Because it can take FortiConverter several
hours to complete a conversion that include a
large number of NAT rules, Fortinet
recommends that you turn off or limit NAT
merge for your initial conversion. Then, resolve
any issues with the conversion before you run
it again with NAT merge enabled. For more
information, including example matches, see
NAT merge options on page 156.

MDS selection (Provider-1 only)

Setting Description

Select the MDS to convert Choose the domain to convert.

Global policy collection (Provider-1)

Setting Description

Standard_Global_Policy Specifies whether FortiConverterconverts the Standard

Global Policy. You can select both Standard Global
Policy and Simple Global Policy.
Simple_Global_Policy Specifies whether FortiConverter converts the Simple
Global Policy.

Check Point Source Configuration (Provider-1)

A Provider-1 configuration contains multiple domains. Input the object definition, policy package information,
and user file in this page.
Ensure the configuration is in a text format. FortiConverter can't use binary files.
See Saving the Check Point source configuration file on page 32

FortiConverter Admin Guide Fortinet Technologies Inc.

Check Point conversions - new application 38

Setting Description

Browse Click to navigate to the domain source configuration file. See Saving the
Check Point source configuration file on page 32.

Firewall selection (SmartCenter only)

Setting Description

(firewall item) Select one or more firewalls to convert from the domain
source configuration.

Information of Configurations Source configuration file names are shown in the table.
Click the file name to see the content. But if the file size
is too large, the file can't be shown.

Source Configuration Preview The numbers of each kind of firewall objects are shown
in the table above. By clicking the object number, the
detailed information of each object is listed in the table
below.

Policy collection

Setting Description

(policy collection item) Select the policy collections to convert.

(Route file name field) If you selected Auto generate policy interfaces on the Start
options page, enter the path and file name of a file that
contains route information, or click Browse to select it. For
example, the file can contain routing tables you obtained using
the netstat -nr command.

Policy packages viewer Select the policy package name and the detail of each policy in
the package listed in the table.

Check Point Interface mapping - SmartCenter only

You can manually map the interface.

l To select the appropriate FortiGate interface, click the value in the FortiGate Interface column, and then
select a value or enter a custom interface name.
l To edit other values, double-click the proper column. Use the toolbar icon on the right to show and hide
columns. You can also use the Tuning page to create mappings after the conversion is complete.
l To import a set of interface mappings from a file, click Import.
l To download the current set of interface mappings, click Export.

FortiConverter Admin Guide Fortinet Technologies Inc.

Check Point conversions - new application 39

l To delete an interface, select the entry and click Delete Selected. This is useful if your target FortiGate
has fewer interfaces than the source configuration.

Setting Description

VDOM Shows the virtual domains used in the conversion.

Source Interface Shows each interface on the Cisco firewall.

FortiGate Shows the corresponding FortiGate interface. Click to assign a FortiGate port for each
Interface interface.

Members Shows any members, if they are set.

IP-Netmask Shows the IP address and netmask of the connection.

Type Shows the type of interface.

Access Shows which protocols has permission to access each interface.

Import Click to load a set of interface mappings from a text file.

Export Saves the current set of interface mappings to a text file.

Delete Selected Click to delete the selected mapping item.

Check Point Route information - SmartCenter only

FortiConverter creates static routes in the output using the static routes it detects in the source configuration
and any routing information you provide.
Double-click an item to edit it.

Setting Description

New Route Click to add a route.

Delete Selected Click to delete the selected route.

Check Point Conversion result

Tab Description

Conversion Summary Provides informations about the conversion.

VDOM Mapping Shows how VDOMs were mapped from the source device to the new device.

Interface Mapping Shows how interfaces were mapped for each VDOM from the source device.

Device Summary Provides statistics about the objects detected.

For more information, see Viewing the results of your automatic conversion on page 134

FortiConverter Admin Guide Fortinet Technologies Inc.

Check Point conversions - new application 40

FortiConverter includes error and warning messages into the conversion when an error
occurs.
Review the config-all.txt file after each conversion for errors. These errors and
warning messages might cause the import process to fail, if not corrected. See for
more details.

Check Point NAT merge examples

For more information on how handles NAT merges, see NAT merge options on page 156.

Host address hides behind gateway

The source configuration hides the host address object Host_172.21.84.202_Hide_Gateway behind the
gateway.

It also has a firewall rule that matches the object to source addresses.

FortiConverter generates the following policy, for which NAT is enabled (set nat enable). However,
because it doesn't specify an IP pool, the source address uses the interface IP address to perform NAT:

edit 10002
set srcintf "port2"
set dstintf "port1"
set srcaddr "Host_172.21.84.202_Hide_Gateway"
set dstaddr "Host_Destination"
set service "http" "https"set schedule "always"
set logtraffic allset status enableset action acceptset comments "Example of address
hides behind gateway."
set global-label "FW1"
set nat enable
next

When a policy has NAT enabled, it attempts to match a source address to a VIP object. If it finds a match, it
performs static NAT using the VIP object. If it doesn't find a match, it uses the interface IP address. (See the
next section for an example with a VIP object.)

Address with static NAT matches policy source address

The source configuration static NAT settings translate the IP address of the host address object Host_
172.21.84.203_Static to 210.61.82.160.

It also has a firewall rule that matches the object to source addresses.

FortiConverter Admin Guide Fortinet Technologies Inc.

Check Point conversions - new application 41

FortiConverter generates the following VIP object and policy:

edit "vip-Host_172.21.84.203_Static"
set extip 210.61.82.160
set mappedip 172.21.84.203
set extintf port1
set nat-source-vip enable
next

edit 10003
set srcintf "port2"
set dstintf "port1"
set srcaddr "Host_172.21.84.203_Static"
set dstaddr "Host_Destination"
set service "http" "https"set schedule "always"
set logtraffic all
set status enable
set action accept
set comments "Example of address with static NAT in source address."
set global-label "FW1"
set nat enable
next

When a policy has NAT enabled, it attempts to match a source address to a VIP object. If it finds a match, it
performs static NAT using the VIP object. If it doesn't find a match, it uses the interface IP address. (See Host
address hides behind gateway for an example without a VIP object.)

Address with static NAT matches policy destination address

Like the example where static NAT matches the policy destination address, the source configuration static
NAT settings translate the IP address of the host address object Host_172.21.84.203_Static to
210.61.82.160.

It also has a firewall rule that matches the object to destinations.

FortiConverter generates the following VIP object and policy. The policy replaces the destination address with
the VIP object:

edit "vip-Host_172.21.84.203_Static"
set extip 210.61.82.160
set mappedip 172.21.84.203
set extintf port1

FortiConverter Admin Guide Fortinet Technologies Inc.

Check Point conversions - new application 42

set nat-source-vip enable

next

edit 10004
set srcintf "port1"
set dstintf "port2"
set srcaddr "Host_Source"
set dstaddr "vip-Host_172.21.84.203_Static"
set service "http" "https"
set schedule "always"
set logtraffic all
set status enable
set action accept
set comments "Example of address with static NAT in destination address."
set global-label "FW1"
next

In this case, the destination address is used directly.

Manual NAT rule matches policy source address with one-to-one mapping
A source configuration has a manual NAT rule that translates a source address:

It also has the following firewall rule:

This configuration is a one-to-one mapping because both the original address and translated address are host
addresses.
FortiConverter generates the following IP address pool and policy. NAT is enabled for the policy and it uses the
pool to perform NAT:
edit "ippool-210.61.82.160"
set endip 210.61.82.160
set startip 210.61.82.160
set type overload
next

edit 10005
set srcintf "port2"
set dstintf "port1"
set srcaddr "Host_172.21.84.204"
set dstaddr "Host_Destination"
set service "http" "https"
set schedule "always"
set logtraffic all
set status enable
set action accept
set comments "Example of one to one source NAT rule ."
set global-label "FW1"

FortiConverter Admin Guide Fortinet Technologies Inc.

Check Point conversions - new application 43

set nat enable

set poolname "ippool-210.61.82.160"
next
Manual NAT rule matches policy destination address
A source configuration has a manual NAT rule that translates a destination address:

It also has the following firewall rule:

FortiConverter generates the following VIP object and policy:

edit "vip-Host_210.61.82.160"
set extip 210.61.82.160
set mappedip 172.21.84.204
set extintf any
set nat-source-vip enable
next

edit 10007
set srcintf "port1"
set dstintf "port2"
set srcaddr "Host_Source"
set dstaddr "Host_172.21.84.204"
set service "http" "https"
set schedule "always"
set logtraffic all
set status enable
set action accept
set comments "Example of one to one destination NAT rule ."
set global-label "FW1"
next

The translated address is used as the destination address because it is in internal network.

NAT rule and policy addresses don't match: Destination address of the policy
contains the NAT object
A source configuration has a host address object Host_172.21.84.203_Static that Static NAT translates to
210.61.82.160.

It also has the following firewall rule:

FortiConverter Admin Guide Fortinet Technologies Inc.

Check Point conversions - new application 44

AddressGroup_Destination is a group that contains the members Host_172.21.84.203_Static,

Host_Member3, and Host_Member4.
FortiConverter generates the following VIP object and NAT policy:
edit "vip-Host_172.21.84.203_Static"
set extip 210.61.82.160
set mappedip 172.21.84.203
set extintf port1
set nat-source-vip enable
next

edit 110009
set srcintf "port1"
set dstintf "port2"
set srcaddr "Host_Source"
set dstaddr "vip-Host_172.21.84.203_Static"
set service "http" "https"
set schedule "always"
set logtraffic all
set status enable
set action accept
set global-label "FW1"
next

edit 10009
set srcintf "port1"
set dstintf "port2"
set srcaddr "Host_Source"
set dstaddr "AddressGroup_Destination"
set service "http" "https"
set schedule "always"
set logtraffic all
set status enable
set action accept
set comments "Example of name overlap in destination address."
set global-label "FW1"
next

FortiConverter converts policy 10009 directly from the original firewall rule. Policy 11009 is a copy of policy
10009 with the destination address field changed to vip-Host_172.21.84.203_Static to reflect the
static NAT object conversion.

Unused VIP objects generate policy

In some cases, the final policy in an output configuration is one that FortiConverter generates from VIP objects
that aren't used as a destination address in at least one policy. For example:
edit 001
set srcintf "port1"
set dstintf "any"
set srcaddr "all"
set dstaddr "vip-Host_172.21.84.24" " vip-Host_172.21.84.25" " vip-Host_172.21.84.26"
set service "ALL"
set schedule "always"
set logtraffic all
set status enable

FortiConverter Admin Guide Fortinet Technologies Inc.

Check Point conversions - new application 45

set action deny

set comments "This policy is auto-generated by FortiConverter to activate static-NAT
VIPs that aren't referenced in other policies."
next

This type of policy enables the source static NAT mapping by capturing all the VIP objects that other policies
don't reference.
In some conversions, FortiConverter generates more than one of this kind of policy – one for each external
interface that is referenced by an unreferenced VIP object.

Check Point NAT merge examples with central NAT

From FOS v6.0.0 release, the central NAT feature was enhanced. You don’t need to add a “set nat enable”
clause into each firewall policy command view. This makes the central NAT module run as a separated
functional part.

Host address hides behind IP

The source configuration hides the host address object Host_172.21.84.201_Hide_IP behind the IP
address 210.61.82.139.

It also has a firewall rule that matches the object to source addresses.

FortiConverter captures the hide NAT IP address 210.61.82.139 in an IP pool:

edit "ippool-210.61.82.139"
set endip 210.61.82.139
set startip 210.61.82.139
set type overload
next

FortiConverter also creates a central NAT object that uses the IP pool:
edit 3
set srcintf "port2" (generated from route information)
set dstintf "port1" (generated from route information)
set orig-addr "Host_172.21.84.201_Hide_IP"
set dst-addr "all"
set nat-ippool "ippool-210.61.82.139"
next

FortiConverter converts the Check Point firewall rule into the following policy:
edit 10001
set srcintf "port2" (generated from route information)
set dstintf "port1" (generated from route information)

FortiConverter Admin Guide Fortinet Technologies Inc.

Check Point conversions - new application 46

set srcaddr "Host_172.21.84.201_Hide_IP"

set dstaddr "Host_Destination"
set service "http" "https"
set schedule "always"
set logtraffic all
set status enable
set action accept
set comments "Example of address hides behind IP."
set global-label "FW1"
next
Manual NAT rule matches policy source address with many-to-one mapping
A source configuration has a manual NAT rule that translates a source address:

Net_172.21.84.0 is a network object with the IP address 172.21.84.0/24.

The configuration also has the following firewall rule, which matches the object to source addresses:

FortiConverter converts many-to-one rules to an IP pool.

For this configuration, FortiConverter generates the following IP pool, central NAT object, and policy:
edit "ippool-210.61.82.130"
set endip 210.61.82.130
set startip 210.61.82.130
set type overload
next

edit 2
set srcintf "port2"
set dstintf "port1"
set orig-addr "Net_172.21.84.0"
set dst-addr "Host_Destination"
set nat-ippool "ippool-210.61.82.130"
next

edit 10006
set srcintf "port2"
set dstintf "port1"
set srcaddr "Net_172.21.84.0"
set dstaddr "Host_Destination"
set service "http" "https"
set schedule "always"
set logtraffic all
set status enable
set action accept
set comments "Example of one to many source NAT."
set global-label "FW1"
next

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—legacy application 47

Cisco conversions—legacy application

This section covers conversion from the Cisco IOS, IOS XR, and Nexus models. For conversion of the Cisco
PIX, ASA, and FWSM models, see Cisco conversions—new application on page 54.
The conversions in this section use the FortiConverter legacy application.

Cisco differences - legacy application

General

l The FortiGate set allowaccess command for interfaces doesn't exist on Cisco firewalls. Because FortiGate
requires this setting, FortiConverter enables all services for interfaces by default.
l The postfix "_conflict" used for services prevents a service and a service group from having the same
name. It is recommended that you rename these objects.
l On Cisco IPSec VPNs, Phase 1 (ISAKMP) supports more than two types of authentication methods.
FortiGate supports only two types: pre-share and rsa-sig. Therefore, you must assign methods for
each VPN connection. The wizard converts Cisco EZVPN configuration to FortiGate VPN policies with the
srcintf "<tunnel-interface-name>" (i.e. phase1-interface object name) and dstintf "any".
l FortiConverter doesn't support the following Cisco configuration elements:
l Wild card netmasks for access-list and object- group objects

NAT support

Software Supported NAT types

IOS Dynamic NAT and Static NAT

PIX Dynamic NAT (NAT exemption, policy dynamic NAT, regular)

FWSM Static NAT (Static NAT, Static PAT, Identity Static NAT)
ASA (8.2 and earlier)

ASA (8.3 and later) Object NAT (Dynamic, Static)

Twice NAT

FortiConverter doesn't support the following NAT features:

l Double NAT, Identity NAT, and NAT Exemption
To reduce the number of NAT polices a conversion generates, FortiConverter doesn't convert Static NAT rules
in which the source and mapped IPs are the same.

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—legacy application 48

Downloading the source configuration files

Before running the conversion wizard, download your existing configuration to the computer where
FortiConverter is installed. To acquire the configuration, enter the show running-config command, then
paste the output into a plain text file.

Saving the Cisco source configuration file

Before starting the conversion wizard, save a copy of your Cisco configuration file to the computer where
FortiConverter is installed.

Cisco conversion wizard

The administrator password is not set on the new configuration.

For third-party conversions, the trusted host settings are converted. Check the trusted
host settings to ensure they allow management access from the relevant network
interfaces.

Cisco Start options

Setting Description

Model Select the model of the source configuration.

Output Format Select the appropriate output format for your FortiGate
device.

Output OS Version FortiOS 5.6 and 6.0 have different configuration syntaxes.
Select the version that corresponds to the FortiOS version on
the target.

Discard unreferenced firewall objects Specifies whether addresses, schedules, and services that
aren’t referenced by a policy are saved and added to the
output. This option is useful if your target device has table size
limitations. View the unreferenced objects that FortiConverter
removed on the Conversion Result page.

Adjust table sizes You can customize the maximum table sizes that
FortiConverter uses when Adjust table sizes is selected. For
more information, see Adjusting table sizes on page 155.

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—legacy application 49

Include input configuration lines for Specifies whether FortiConverter includes the input
each output policy configuration lines used for each FortiGate policy in the
FortiGate configuration as a policy comment.

Ignore firewall policies with all or any Specifies whether FortiConverter ignores firewall policies with
addresses when processing NAT rules an "all" or "any" address when it merges a NAT rule and a
firewall policy to create a FortiGate NAT policy.
FortiConverter creates new policies in the output configuration
based on where NAT rules to firewall policies intersect.
Because firewall policies that use "all" or "any" as the address
create many intersections, Fortinet recommends that you
ignore them.

More Displays additional start options. See Cisco Start options -

More on page 49.
Available only when Model is IOS.

Output Directory Select the folder where the output configuration is saved.

Cisco Start options - More

Setting Description

Enable Route-based IPSec Specifies whether Route-based IPSec is used for this
conversion.

NAT Merge

Dynamic NAT merge depth Specifies which types of NAT FortiConverter merges with the
Static NAT merge depth output firewall policies, or whether FortiConverter performs
NAT merge based on object names or values.
l Off –FortiConverter converts firewall policies only and
doesn't perform NAT merge for this type of NAT. This is
useful for performing a quick, initial conversion to
discover any conversion issues.
l Object Names –FortiConverter performs NAT merge
based on matching address names in firewall policies
and NAT rules.
l Object Values –FortiConverter performs NAT merge
based on matching address values in firewall policies
and NAT rules. It generates the most accurate matching
of NAT rules and policies, but in most cases, it also
generates more NAT policies.

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—legacy application 50

Because it can take FortiConverter several hours to complete

a conversion that include a large number of NAT rules,
Fortinet recommends that you turn off or limit NAT merge for
your initial conversion. Then, resolve any issues with the
conversion before you run it again with NAT merge enabled.
For more information, including sample matches, seeNAT
merge options on page 156.

Cisco Source configuration

Ensure the configuration is in a text format. FortiConverter can't use binary files.
See Saving the Cisco source configuration file on page 48

Setting Description

Source Configuration File Select the input file.

Cisco Route File (Optional) Select a route file that FortiConverter uses to determine the
interfaces used in output policies, in addition to routes it
detects in the source configuration. Because Cisco devices
apply access-lists to source interfaces, FortiConverter can
determine the source interfaces for output policies, but not
the destination interfaces. When you specify a route file,
FortiConverter uses the information in the file to determine
the destination interface. Otherwise, it uses the "any"
interface.

Context selection

By default, all virtual contexts are mapped to VDOMs with the same name. You can modify this default
mapping as required by renaming VDOMs and removing virtual contexts from the conversion.

Map the virtual systems in the source configuration to VDOMs in the output configuration.
You can select multiple items from the list:
l To select multiple items, use Ctrl + click.
l To select contiguous items, use Shift + click.

Setting Description

Enable VDOM Select to enable VDOMs (add config global and config vdom
syntax) to the output config.

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—legacy application 51

Add Click to add a mapping item after you have deleted one.

Delete Click to delete a mapping item.

Cisco Interface mapping

To select the appropriate FortiGate interface, click the value in the FortiGate Interface column, and then select
a value or enter a custom interface name.
To edit other values in the Interface Mapping dialog box, including changing the interface from physical to
aggregate or unspecified, double-click a column other than FortiGate Interface.
The Interface Mapping dialog box allows you to select the following interface types:
l aggregate – Select up to four aggregate interface members. If you need to add additional members, edit
the set members interface setting in the output configuration or use the FortiOS web UI to add
interfaces after you import the configuration.
l unspecified – FortiConverter uses the interface name in the conversion, but ignores the type and other
attributes, which provides a name-to-name mapping without interface configuration.
l For example, you can create resources such as VLANs, LAGs, and inter-VDOM links on the target
FortiGate device before you import the conversion, and then reference those interfaces in the physical
interface mapping.
You can also use the Tuning page to create mappings, such as physical to VLAN, after the conversion is
complete.
To delete an interface, select the entry and click Delete. This is useful if your target FortiGate has fewer
interfaces than the source configuration.

Setting Description

FortiGate Interface Click to assign a FortiGate port for each interface.

(table column) Enter a port name or custom text.

Import from file Click to load a set of interface mappings from a text file.

Export current mappings Saves the current set of interface mappings to a text file.

Add Click to add a mapping item.

Edit Click to edit additional properties for the selected mapping item.

Delete Click to delete the selected mapping item.

VLAN and Loopback

This page displays the logical interfaces that FortiConverter detects in the source configuration and the
changes it makes to the associated physical interface and its naming.
You can't use this page to modify the logical interface settings.

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—legacy application 52

If required, you can use the Tuning page to modify logical interfaces and zones. See Tuning the output on page
119

Cisco legacy Route information

FortiConverter creates static routes in the output using the static routes it detects in the source configuration
and any routing information you provide.
Double-click an item to edit it.

Setting Description

Add Click to add a route.

Edit Click to edit the selected route.

Delete Click to delete the selected route.

VPN Phase2

Setting Description

IKE Phase1 Select an IKE Phase1 authentication method: pre-share (preshared keys) or rsa-sig (RSA
(table signatures).
column)

Cisco Conversion result

Tab Description

Conversion Summary Provides statistics about the conversion.

Policies Detected & Policies Created Allows you to view and compare the number of objects that
FortiConverter detected in the source configuration and
the ones it created for the output configuration.

Messages & Warnings Allows you to review any objects that FortiConverter did
not include in the conversion. If you enabled Discard
unreferenced firewall objects on the Start Page, this
tab displays the objects that FortiConverter removed.

Setting Description

View in HTML Generates an HTML page of the conversion result.

Go to Output Opens the output folder .

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—legacy application 53

Go to Tuning Opens the tuning page. See Tuning the output on page 119

Go to Report Opens a detailed conversion report that includes a list of converted objects and
policies and displays lines from the source configuration that FortiConverter did
not convert.

For more information, see Viewing the results of your automatic conversion on page 134

FortiConverter includes error and warning messages into the conversion when an error
occurs.
Review the config-all.txt file after each conversion for errors. These errors and
warning messages might cause the import process to fail, if not corrected. See for
more details.

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—new application 54

Cisco conversions—new application

This section covers conversion from the Cisco ASA, PIX, and FWSM models. For conversion of the Cisco IOS,
IOS XR, and Nexus models, see Cisco conversions—legacy application on page 47.
The conversions in this section uses the new FortiConverter application.
For more information on new features available with the new application, see New application features on page
157

Cisco differences - new application

General

l FortiGate’s set allowaccess command for interfaces doesn't exist on Cisco firewalls. Because
FortiGate requires this setting, FortiConverter enables all services for interfaces by default.
l The postfix "_conflict" used for services prevents a service and a service group from having the same
name. It is recommended that you rename these objects.
l On Cisco IPSec VPNs, Phase 1 (ISAKMP) supports more than two types of authentication methods.
FortiGate supports only two types: pre-share and rsa-sig. Therefore, you must assign methods for
each VPN connection. The wizard converts Cisco EZVPN configuration to FortiGate VPN policies with the
srcintf "<tunnel-interface-name>" (i.e. phase1-interface object name) and dstintf "any".
l FortiConverter doesn't support the following Cisco configuration elements:
l Wild card netmasks for access-list and object- group objects

NAT support

Software Supported NAT types

PIX Dynamic NAT (NAT exemption, policy dynamic NAT, regular)

FWSM Static NAT (Static NAT, Static PAT, Identity Static NAT)
ASA (8.2 and earlier)

ASA (8.3 and later) Object NAT (Dynamic, Static)

Twice NAT

FortiConverter doesn't support the following NAT features:

l Double NAT, Identity NAT, and NAT Exemption
To reduce the number of NAT polices a conversion generates, FortiConverter doesn't convert Static NAT rules
in which the source and mapped IPs are the same.

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—new application 55

Saving the Cisco ASA source configuration file

Before starting the conversion wizard:Cisco ASA, save a copy of your configuration file to the computer where
FortiConverter is installed.

Cisco conversion wizard

The administrator password is not set on the new configuration.

For third-party conversions, the trusted host settings are converted. Check the trusted
host settings to ensure they allow management access from the relevant network
interfaces.

To start a new conversion

1. Start FortiConverter.
2. When start-up is complete, a browser window automatically opens to http://127.0.0.1:8000.

3. Click New Conversion, located at the top right corner.

4. Enter a name for the conversion configuration.
5. For Vendor, choose Cisco from the drop-down list.
6. Choose a Model, if applicable.
7. Click OK.
The configuration page opens to the Start page, and you can input your settings.

Cisco ASA Start options

This table lists the start settings.

Setting Description

Profile

Description Enter a description of the configuration.

Output Options

Output Format Select the appropriate output format for your FortiGate
device.

FOS Version FortiOS 5.6 and 6.0 have different configuration

syntaxes.Select the version that corresponds to the FortiOS
version on the target.

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—new application 56

Input

Security Context Conversion Enable this option to convert configurations with multiple
security contexts.

Source Configuration Select the input file or files. This option only appears if
Security Context Conversion is disabled.

System Configuration Select the system configuration file. This file should include
interfaces and config file names for each security context.
This option only appears if Security Context Conversion is
enabled.

Context Configuration(.zip) Select the .zip file containing all the config files. The file name
for each context should match the name given in the system
configuration file. This option only appears if Security Context
Conversion is enabled.

Route File (Optional) Select a route file that FortiConverter uses to determine the
interfaces used in output policies, in addition to routes it
detects in the source configuration. Because Cisco devices
apply access-lists to source interfaces, FortiConverter can
determine the source interfaces for output policies, but not
the destination interfaces. When you specify a route file,
FortiConverter uses the information in the file to determine
the destination interface.

Conversion Options

Discard unreferenced firewall objects Specifies whether addresses, schedules, and services that
aren't referenced by a policy are saved and added to the
output.
This option can be useful if your target device has table size
limitations.

Adjust Service Table Capacity Size You can customize the maximum table sizes that
FortiConverter uses when Adjust Service Table Capacity
Size is selected. For more information, see Adjusting table
sizes on page 155

Automatically generate policy Specifies whether FortiConverter automatically generates

interfaces policy interfaces.

Route-based IPSec Specifies whether Route-based IPSec is used for this

conversion.

Comment Options

Include input configuration lines for Specifies whether FortiConverter includes the input
each output policy configuration lines used for each FortiGate policyin the
FortiGate configuration as a policy comment.

Address comment Specifies whether FortiConverter copies the address

comment from the source configuration to the converted

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—new application 57

FortiGate address.

Interface comment Specifies whether FortiConverter copies the interface

comment from the source configuration to the converted
FortiGate address.

Service comment Specifies whether FortiConverter copies the service comment

from the source configuration to the converted FortiGate
address.

NAT Merge Options

Ignore firewall policies with all or any Specifies whether FortiConverter ignores firewall policies with
addresses when processing NAT rules an “all" or "any” address when it merges a NAT rule and a
firewall policy to create a FortiGate NAT policy.
FortiConverter creates new policies in the output
configuration based on where NAT rules to firewall policies
intersect. Because firewall policies that use "all" or "any" as
the address create many intersections, Fortinet recommends
that you ignore them.

Enable central NAT merge Specifies whether FortiConverter converts NATs to

FortiConverter central NATs instead of policy-based NATs.

NAT Merge Depth

Mode Specify the source version number. This option is available

only when Model is ASA .

NAT exemption Specifies which types of NAT FortiConverter merges with the
output firewall policies, or whether FortiConverter performs
NAT merge based on object names or values.
l Object Name Match – FortiConverter performs
Dynamic NAT NAT merge based on matching address names in firewall
policies and NAT rules.
l Object Content Overlap – FortiConverter performs
NAT merge based on matching address values in firewall
Static NAT
policies and NAT rules. It generates the most accurate
matching of NAT rules and policies, but in most cases, it
also generates more NAT policies.
Dynamic ACL NAT Because it can take FortiConverter several hours to complete
a conversion that include a large number of NAT rules,
Fortinet recommends that you turn off or limit NAT merge for
your initial conversion. Then, resolve any issues with the
Static ACL NAT conversion before you run it again with NAT merge enabled.
For more information, including sample matches, see NAT
merge options on page 156.

Context selection

This page shows the source configuration before conversion.

By default, all virtual contexts are mapped to VDOMs with the same name.

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—new application 58

Click an option under Source Configuration Preview to view it. Use the search bars to filter the search.

Setting Description

Enable VDOM Select to enable VDOMs (add config global and config vdom syntax) to the
output config.

[trash] Click to delete the selected mapping item.

Removed vdom Select a removed VDOM and click Add to add it back into VDOM list.

Information of Source configuration file names are shown in the table as a link. Click the link to see
Configurations the content. The file won’t show if it’s too large.

Source The numbers of each type of firewall object are shown in the previous table. Click the
Configuration object number to see detailed information on each object.
Preview

Cisco ASA Interface mapping

You can manually map the interface.

l To select the appropriate FortiGate interface, click the value in the FortiGate Interface column, and then
select a value or enter a custom interface name.
l To edit other values, double-click the proper column. Use the toolbar icon on the right to show and hide
columns. You can also use the Tuning page to create mappings after the conversion is complete.
l To import a set of interface mappings from a file, click Import.
l To download the current set of interface mappings, click Export.
l To delete an interface, select the entry and click Delete Selected. This is useful if your target FortiGate
has fewer interfaces than the source configuration.

Setting Description

VDOM Shows the virtual domains used in the conversion.

Source Interface Shows each interface on the Cisco firewall.

FortiGate Shows the corresponding FortiGate interface. Click to assign a FortiGate port for each
Interface interface.

Members Shows any members, if they are set.

IP-Netmask Shows the IP address and netmask of the connection.

Type Shows the type of interface.

Access Shows which protocols has permission to access each interface.

Import Click to load a set of interface mappings from a text file.

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—new application 59

Export Saves the current set of interface mappings to a text file.

Delete Selected Click to delete the selected mapping item.

Cisco Routing Information

FortiConverter creates static routes in the output using the static routes it detects in the source configuration
and any routing information you provide.
Double-click an item to edit it.

Setting Description

New Route Click to add a route.

Delete Selected Click to delete the selected route.

Cisco Conversion result

Some columns can be selected, sorted, and filtered.

Tab Description

Conversion Summary Shows information about the conversion.

VDOM Mapping Shows how VDOMs were mapped from the source device to the new device.

Interface Mapping Shows how interfaces were mapped for each VDOM from the source device.

Device Summary Shows statistics about the objects detected.

For more details on how to fine-tune your conversion, see New application tuning on page 124.
To download your finished conversion, click Download Configurations, located in the top-right corner. Your
downloaded conversion is a .zip file.

FortiConverter includes error and warning messages into the conversion when an error
occurs.
Review the config-all.txt file after each conversion for errors. These errors and
warning messages might cause the import process to fail, if not corrected. See for
more details.

Cisco PIX and ASA NAT merge examples

For more information about how FortiConverter handles NAT merges, see NAT merge options on page 156

For ASA, these examples are valid only for source configurations
created using software versions 8.2.x and earlier.

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—new application 60

Identity NAT
Dynamic NAT with ID 0 is the identity NAT and specifies that the address doesn't need to be translated. For
example:
nat (inside) 0 172.17.3.68 255.255.255.255
Currently, because FortiConverter doesn't merge this kind of NAT, it ignores the settings when it converts the
configuration.

Static identity NAT

In the following settings, in the two static NAT settings, the real address and the mapped address are the
same.
static (inside,outside) 200.251.129.33 200.251.129.33 netmask 255.255.255.255
static (inside,outside) 172.17.3.69 access-list inside_nat0_static
access-list inside_nat0_static extended permit ip host 172.17.3.69 object-
group Group0

FortiConverter doesn't support this kind of static NAT and it ignores the settings when it converts the
configuration.

Dynamic NAT with NAT IP

A source configuration has the following dynamic NAT settings:
global (outside) 1 172.31.242.69 netmask 255.255.255.255
nat (inside) 1 172.17.3.120 255.255.255.255

It also has the following firewall rule:

access-list acl_inside extended permit tcp host 172.17.3.120 object-group
Group_Destination eq http
access-group acl_inside in interface inside

FortiConverter generates the following IP pool and NAT policy from the source configuration:
edit "ippool-172.31.242.69"
set endip 172.31.242.69
set startip 172.31.242.69
set type one-to-one
next

edit 10001
set srcintf “port1" (corresponds to the interface “inside”)
set dstintf "port2" (corresponds to the interface “outside”)
set srcaddr "h_172.17.3.120"
set dstaddr "Group_Destination"
set service "HTTP"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
set ippool enable

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—new application 61

set poolname "ippool-172.31.242.69"

next

The interface and address of the dynamic NAT matches the firewall rule, so FortiConverter inserts the IP pool
into policy 10001.

Dynamic NAT with mapped IP is "interface"

A source configuration has the following dynamic NAT settings:
global (outside) 2 interface
nat (inside) 2 172.17.40.73 255.255.255.255

It also has the following firewall rule:

access-list acl_inside extended permit tcp host 172.17.40.73 object-group
Group_Destination eq http
access-group acl_inside in interface inside

FortiConverter generates the following NAT policy from the source configuration:
edit 10002
set srcintf "port1"
set dstintf "port2"
set srcaddr "h-172.17.40.73"
set dstaddr "Group_Destination"
set service "HTTP"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
next

The interface and address of the dynamic NAT matches the firewall rule. NAT is enabled for policy 10002, but
because there is no IP pool specified, the source address uses the interface IP address to perform NAT.

Dynamic policy NAT

A source configuration has the following dynamic NAT settings, which define NAT using an access list:
nat (inside) 1 access-list inside_nat_outboundaccess-list inside_nat_outbound extended permit tcp host
172.17.40.70 host 200.185.36.43 eq httpglobal (outside) 1 172.31.242.69 netmask 255.255.255.255
It also has the following firewall rule, which matches the NAT settings:
access-list acl_inside extended permit tcp host 172.17.40.70 host 200.185.36.43 eq http
access-group acl_inside in interface inside
FortiConverter generates the following IP pool and NAT policy from the source configuration:
edit "ippool-172.31.242.69"
set endip 172.31.242.69
set startip 172.31.242.69
set type one-to-one
next

edit 10003

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—new application 62

set srcintf "port1"

set dstintf "port2"
set srcaddr "h-172.17.40.70"
set dstaddr "h-200.185.36.43"
set service "HTTP"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
set ippool enable
set poolname "ippool-172.31.242.69"
next

The converted configuration is similar to when the source configuration specifies dynamic NAT with a NAT IP
address.
FortiConverter converts the IP pool based on the dynamic NAT.

Static NAT matches policy source address

A source configuration has the following static NAT settings:
static (inside,outside) 200.251.129.95 172.17.60.85 netmask 255.255.255.255
It also has the following firewall rule:
access-list acl_inside extended permit ip host 172.17.60.85 object-group
Group_Destination
access-group acl_inside in interface inside

FortiConverter converts the static NAT rule to a VIP object and generates a NAT policy:
edit "vip-200.251.129.95"
set extip 200.251.129.95
set mappedip 172.17.60.85
set extintf port2
set nat-source-vip enable
next

edit 10004
set srcintf "port1"
set dstintf "port2"
set srcaddr "h-172.17.60.85"
set dstaddr "Group_Destination"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
next

The NAT-enabled policy tries to match the source address to a VIP object. If it finds a match, it performs static
NAT as the VIP object specifies. Otherwise, it uses the interface IP for NAT.

Static NAT matches policy destination address

A source configuration has the following static NAT settings (which are the same as the example that matches

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—new application 63

by source address):
static (inside,outside) 200.251.129.95 172.17.60.85 netmask 255.255.255.255
It also has the following firewall rule:
access-list acl_outside extended permit ip any host 200.251.129.95
access-group acl_outside in interface outside

FortiConverter creates the same VIP object it does for the source address example, and the following NAT
policy, which uses the VIP object as a destination address:
edit "vip-200.251.129.95"
set extip 200.251.129.95
set mappedip 172.17.60.85
set extintf port2
set nat-source-vip enable
next

edit 10005
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "vip-200.251.129.95"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
next
Static NAT that uses access list matches policy source address
A source configuration has the following settings, which define static NAT using an access list:
static (inside,outside) 172.31.242.69 access-list inside_nat_static
access-list inside_nat_static extended permit ip host 10.100.128.97 object-
group Group_Destination

It also has the following firewall rule:

access-list acl_inside extended permit ip host 10.100.128.97 object-group
Group_Destination
access-group acl_inside in interface inside

FortiConverter converts the static NAT settings to the following VIP object and policies:
edit "vip-172.31.242.69_ip"
set extip 172.31.242.69
set mappedip 10.100.128.97
set extintf port2
set nat-source-vip enable
next

edit 10006
set srcintf "port1"
set dstintf "port2"
set srcaddr "h-10.100.128.97"
set dstaddr "Group_Destination”

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—new application 64

set service "ALL"

set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
next

The NAT-enabled policy tries to match the source address to a VIP object. If it finds a match, it performs static
NAT as the VIP object specifies. Otherwise, it uses the interface IP for NAT.

Static NAT specified by access list matches policy source address

The following source configuration settings define static NAT using an access list (they are the same as the
example where static policy NAT matches the policy source address):
static (inside,outside) 172.31.242.69 access-list inside_nat_static
access-list inside_nat_static extended permit ip host 10.100.128.97 object-
group Group_Destination

It also has the following firewall rule, which matches the NAT in source address:
access-list acl_outside extended permit ip object-group Group_Destination host 172.31.242.69
access-group acl_outside in interface outside
FortiConverter creates the same VIP object it does for the source address example, and the following NAT
policy, which uses the VIP object as a destination address:
edit "vip-172.31.242.69_ip"
set extip 172.31.242.69
set mappedip 10.100.128.97
set extintf port2
set nat-source-vip enable
next

edit 110007
set srcintf "por2"
set dstintf "port1"
set srcaddr "Group_Destination"
set dstaddr "vip-172.31.242.69_ip"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action acceptnext edit 10007
set srcintf "port2"
set dstintf "any"
set srcaddr "Group_Destination"
set dstaddr "h-172.31.242.69"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
next

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—new application 65

NAT rule and policy addresses don't match exactly

When a NAT rule address doesn't match a policy address exactly, FortiConverter calculates where the
addresses intersect (overlap) and uses the result as the address for the NAT policy it generates.

NAT rule address contains policy address

For example, a source configuration includes the following dynamic NAT configuration:
global (outside) 1 193.205.32.10 netmask 255.255.255.255
nat (inside) 1 10.1.2.0 255.255.255.0
It also contains the following firewall rule:
access-list acl_inside extended permit tcp host 10.1.2.1 host 193.205.23.66 eq smtp
access-group acl_inside in interface inside
The NAT rule address 10.1.2.0 255.255.255.0 contains the firewall rule source address 10.1.2.1.
FortiConverter converts the source NAT and firewall rules to the following IP pool and policies:
edit "ippool-193.205.32.0-193.205.32.255"
set endip 193.205.32.10
set startip 193.205.32.10
set type one-to-one
next

edit 10001
set srcintf "port1"
set dstintf "port2"
set srcaddr "h-10.1.2.1"
set dstaddr "h-193.205.23.66"
set service "SMTP"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
set ippool enable
set poolname "ippool-193.205.32.10"
next

The source address of rule 10001 is the intersection of the NAT rule and original rule, which is "h-
10.1.2.1".

Policy address contains the NAT rule address

A source configuration includes the following NAT settings (which are the same as the example where the NAT
rule address contains the policy address):
global (outside) 1 193.205.32.10 netmask 255.255.255.255
nat (inside) 1 10.1.2.0 255.255.255.0

It also contains the following firewall rule:

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—new application 66

access-list acl_inside extended permit tcp 10.1.0.0 255.255.0.0 host

193.205.23.66 eq smtp
access-group acl_inside in interface inside

The firewall rule source address 10.1.0.0 255.255.0.0 contains the NAT rule address 10.1.2.0
255.255.255.0.
FortiConverter converts the source NAT and firewall rules to the following IP pool and policies:
edit "ippool-193.205.32.0-193.205.32.255"
set endip 193.205.32.10
set startip 193.205.32.10
set type one-to-one
next

edit 110002
set srcintf "port1"
set dstintf "port2"
set srcaddr "n-10.1.2.0_24"
set dstaddr "h-193.205.23.66"
set service "SMTP"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
set ippool enable
set poolname "ippool-193.205.32.10"
next

edit 10002
set srcintf "port1"
set dstintf "any"
set srcaddr "n-10.1.2.0_16"
set dstaddr "h-193.205.23.66"
set service "SMTP"
set schedule "always"
set logtraffic disable
set status enable
set action accept
next

The policy 00110002 source address "n-10.1.2.0_24" is the intersection of NAT rule and firewall rule 10002.

NAT rule matches address "all" in policy

A source configuration includes the following NAT settings (which are the same as the example where the NAT
rule address contains the policy address):
global (outside) 1 193.205.32.10 netmask 255.255.255.255
nat (inside) 1 10.1.2.0 255.255.255.0
It also contains the following firewall rule:
access-list acl_inside extended permit tcp any host 193.205.23.66 eq smtp
access-group acl_inside in interface inside

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—new application 67

The source address field is "any", which contains the NAT rule.
FortiConverter converts the source NAT and firewall rules to the following IP pool and policies:
edit 110003
set srcintf "port1"
set dstintf "port2"
set srcaddr "n-10.1.2.0_24"
set dstaddr "h-193.205.23.66"
set service "SMTP"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
set ippool enable
set poolname "ippool-193.205.32.10"
next

edit 10003
set srcintf "port1"
set dstintf "any"
set srcaddr "all"
set dstaddr "h-193.205.23.66"
set service "SMTP"
set schedule "always"
set logtraffic disable
set status enable
set action accept
next

The policy 110003 source address "n-10.1.2.0_24" is the intersection of NAT and firewall rules.

Static NAT overlaps policy destination address

A source configuration has the following settings, which define static NAT using an access list:
static (inside,outside) 172.31.242.69 access-list inside_nat_static
access-list inside_nat_static extended permit ip host 10.100.128.97 object-group Group_Destination
It also includes the following firewall rule:
access-list acl_outside extended permit ip object-group Group_Destination 172.31.242.0 255.255.255.0
access-group outside in interface outside
The firewall rule destination address 172.31.242.0 255.255.255.0 contains the static NAT mapped IP
172.31.242.69.
FortiConverter generates the following VIP object and policies that use the object as a destination:
edit "vip-172.31.242.69_ip"
set extip 172.31.242.69
set mappedip 10.100.128.97
set extintf port2
set nat-source-vip enable
next

edit 110004
set srcintf "port2"

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—new application 68

set dstintf "port1"

set srcaddr "Group_Destination"
set dstaddr "vip-172.31.242.69_ip"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
next

edit 10004
set srcintf "port2"
set dstintf "any"
set srcaddr "Group_Destination"
set dstaddr "n-172.31.242.0_24"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
next
Static NAT overlaps address group object
A source configuration has the following settings, which define a static NAT using an access list:
static (inside,outside) 172.31.242.69 access-list inside_nat_static
access-list inside_nat_static extended permit ip host 10.100.128.97 object-
group Group_Destination

The access list destination address Group_Destination contains two members:

object-group network Group_Destination
network-object 10.255.253.0 255.255.255.0
network-object 10.255.254.0 255.255.255.0

The source configuration also has a firewall rule that matches the static NAT rule and its destination is a
member of the group Group_Destination.
access-list acl_inside extended permit ip host 10.100.128.97 10.255.253.0 255.255.255.0
access-group acl_inside in interface inside

FortiConverter generates the following NAT policy, which has the destination address 10.255.253.0
255.255.255.0.
edit 10009
set srcintf "port1"
set dstintf "port2"
set srcaddr "h-10.100.128.97"
set dstaddr "n-10.255.253.0_24"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
next

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—new application 69

NAT exemption

NAT exemption is a dynamic policy NAT with ID 0. In most cases, you use NAT exemption to do one of the
following:
l Exempt from NAT an address that is located in a NAT rule address range.
l In environments that use NAT control to block traffic to which no NAT rule applies, to permit this type of
traffic.
Exempt an address from a NAT rule
A source configuration has the following NAT exemption configuration:
nat (inside) 0 access-list inside_nat_exemption
access-list inside_nat_exemption extended permit ip host 172.13.100.88
object-group Group_Destination

It also has the following dynamic NAT rule:

nat (inside) 4 172.13.100.0 255.255.255.0
global (outside) 4 172.80.80.8 netmask 255.255.255.255

Both the NAT exemption and the dynamic NAT rule match the following firewall rule:
access-list acl_inside extended permit ip 172.13.100.0 255.255.255.0 object-group Group_
Destination
access-group acl_inside in interface inside

FortiConverter generates the following policies:

edit 110001
set srcintf "port1"
set dstintf "port2"
set srcaddr "h-172.13.100.88"
set dstaddr "Group_Destination"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
next

edit 10001
set srcintf "port1"
set dstintf "port2"
set srcaddr "n-172.13.100.0_24"
set dstaddr "Group_Destination"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
set ippool enable
set poolname "ippool-172.80.80.8"
next

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—new application 70

The NAT exemption configuration generates policy 110001 with no NAT behavior. The dynamic NAT
configuration generates policy 10001, which references an IP pool. Because 00110001 comes first in the
configuration, it applies to address "h-172.13.100.88" before the policy used for address "n-172.13.100.0_24"
(which applies dynamic NAT) is applied.

Allowing traffic without NAT when PIX enables NAT control

When NAT control is enabled in PIX, traffic from an interface with high-level security to an interface with low-
level security isn't allowed if no NAT rule is configured. To allow traffic that doesn't require NAT, a NAT
exemption is required.
The following NAT configuration is a source configuration, which includes NAT control and a NAT exemption:
nat-control
nat (inside) 0 access-list inside_nat_exemption
access-list inside_nat_exemption extended permit ip host 172.14.100.88
object-group Group_Destination
It also has the following firewall rule:
access-list acl_inside extended permit ip 172.14.100.0 255.255.255.0 object-group Group_
Destination
access-group acl_inside in interface inside

The interface security level has the following configuration:

nameif ethernet0 outside security0
nameif ethernet1 inside security100

FortiConverter generates the following policies:

edit 110002
set srcintf "port1"
set dstintf "port2"
set srcaddr "h-172.14.100.88"
set dstaddr "Group_Destination"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
next

edit 10002
set srcintf "port1"
set dstintf "port2"
set srcaddr "n-172.14.100.0_24"
set dstaddr "Group_Destination"
set service "ALL"
set schedule "always"
set logtraffic disable
set status disable
set action accept
set comments "This policy is disabled as not allowed by NAT-Control."
next

FortiConverter Admin Guide Fortinet Technologies Inc.

Cisco conversions—new application 71

The source interface of the firewall rule is "inside"(port1), which has security level 100. The destination interface
of this firewall rule is calculated to be "outside"(port2), which has security level 0. Since "inside" has a higher
security level than "outside", traffic from "n-172.14.100.0_24" to "Group_Destination" isn't allowed if NAT isn't
configured (even if the firewall rule allows it). Only traffic from "h-172.14.100.88" to "Group_Destination" is
allowed because a NAT exemption is configured for it. Since other traffic isn't allowed, FortiConverter disables
policy 10002, and adds a comment to show the reason.

Unused VIP objects generate policy

In some cases, the final policy in an output configuration is one that FortiConverter generates from VIP objects
that aren't used as a destination address in at least one policy. For example:
edit 001
set srcintf "port1"
set dstintf "any"
set srcaddr "all"
set dstaddr "vip- 172.21.84.24" " vip- 172.21.84.25" " vip- 172.21.84.26"
set service "ALL"
set schedule "always"
set logtraffic all
set status enable
set action deny
set comments "This policy is auto-generated by FortiConverter to activate static-NAT
VIPs that aren't referenced in other policies."
next

This type of policy enables the source static NAT mapping by capturing all VIP objects that other policies don't
reference.
In some conversions, FortiConverter generates more than one of this kind of policy – one for each external
interface that is referenced by an unreferenced VIP object.

FortiConverter Admin Guide Fortinet Technologies Inc.

Juniper conversions - new application 72

Juniper conversions - new application

The conversions in this section uses the new FortiConverter application.

For more information on new features available with the new application, see New application features on page
157.

Juniper ScreenOS or Junos OS differences

VLAN logical interfaces

FortiConverter recognizes interface names starting with "vlan" as logical interfaces.

Service objects

Junos OS service objects support MS-RPS and SUN-RPC, where program-numbers (SUN) and UUID (MS) are
used instead of ports.
FortiOS supports this configuration using Application Control with an application override.

Example of Junos service object conversion

config application list

edit "MS-ActiveDirectory"
config entries
edit 1
set application 152305667
config parameters
edit 1
set value "45f52c28-7f9f-101a-b52b-08002b2efabe"
next
edit 2
set value "811109bf-a4e1-11d1-ab54-00a0c91e9b45"
next
end
set action pass
next
end
next
end

edit 10012
set srcintf "trust"

FortiConverter Admin Guide Fortinet Technologies Inc.

Juniper conversions - new application 73

set dstintf "mgn"

set srcaddr "MEI-Novi-172.24.81.0-24" "MEI-Novi-172.24.80.0-24" "MEI-Novi-
172.24.252.112-28"
set dstaddr "MEI-WAN"
set service "MS-ActiveDirectory"
set schedule "always"
set logtraffic all
set status enable
set action accept
set comments "95"
set application-list "MS-ActiveDirectory"
next

NAT support

For SRX Series gateways, supports the FortiConverter conversion of the following NAT types:
l Destination NAT
l Source NAT
l Static NAT
In ScreenOS, source NAT is implicitly enabled when: the destination zone is in the untrust-vr, the source zone
is trust zone and the destination zone is untrust zone, and both belong to the trust-vr.

Saving the Juniper source configuration file

Before starting the conversion wizard, save a copy of your Juniper configuration file to the computer where
FortiConverter is installed.
To get the configuration, for both ScreenOS and Junos, in the web UI, go to Configuration> Update
> ConfigFile.
Alternatively, for ScreenOS only, you can use the get conf CLI command and paste the output into a plain
text file.
For Junos, FortiConverter requires the structural configuration file as a valid input. For example:
show configuration
## Last commit: 2013-06-05 11:28:53 CST by master
version 10.2S7;
groups {
node0 {
system {
host-name SRX3400-Active;
backup-router 172.16.1.254 destination 0.0.0.0/0;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 172.16.1.1/24;

FortiConverter Admin Guide Fortinet Technologies Inc.

Juniper conversions - new application 74

}
}
}
}
}
............
............

Juniper conversion wizard

The administrator password is not set on the new configuration.

For third-party conversions, the trusted host settings are converted. Check the trusted
host settings to ensure they allow management access from the relevant network
interfaces.

To start a new conversion

1. Start FortiConverter.
2. When start-up is complete, a browser window automatically opens to http://127.0.0.1:8000.

3. Click New Conversion, located at the top right corner.

4. Enter a name for the conversion configuration.
5. For Vendor, choose Juniper from the drop-down list.
6. Choose a Model, if applicable.
7. Click OK.
The configuration page opens to the Start page, and you can input your settings.

Juniper Start options

This table lists the start settings.

Setting Description

Profile

Description Enter a description of the configuration.

Output Options

Output Format Select the appropriate output for your target Fortinet device.

FOS Version FortiOS5.6 and 6.0 have different configuration syntaxes. Select the
version that corresponds to the FortiOS version on the target.

Input

FortiConverter Admin Guide Fortinet Technologies Inc.

Juniper conversions - new application 75

Source Configuration Select the input file or files.

Conversion Options

Discard unreferenced firewall objects Specifies whether addresses, schedules, and services that aren't
referenced by a policy are saved and added to the output. This
option can be useful if your target device has table size limitations.
You can view the unreferenced objects that FortiConverter removed
on the Conversion Result page.

Automatically generate policy Specifies whether FortiConverter generates policy interfaces using
interfaces route information.

Adjust Service Table Capacity Size You can customize the maximum table sizes that FortiConverter
uses when Adjust table sizes is selected. For more information, see
Adjusting table sizes on page 155

Route-based IPSec Specifies whether Route-based IPSec is used for this conversion.

Comment Options

Include input configuration lines for Specifies whether FortiConverter includes the input configuration
each output policy lines used for each FortiGate policy in the FortiGate configuration
as a policy comment.

Interface Comment Specifies whether FortiConverter copies the interface comment

from the source configuration to the mapped FortiGate interface.

Address Comment Specifies whether FortiConverter copies the address comment from
source configuration to the converted FortiGate address.

Service Comment Specifies whether FortiConverter copies the service comment from
the source configuration to converted FortiGate service.

Rule comment Specifies whether FortiConverter copies the security rule comment
from the source configuration to converted FortiGate service.

NAT Merge Options

Ignore firewall policies with all or any Specifies whether FortiConverter ignores firewall policies with an
addresses when processing NAT "all" or "any" address when it merges a NAT rule and a firewall policy
rules to create a FortiGate NAT policy.
FortiConverter creates new policies in the output configuration
based on where NAT rules to firewall policies intersect. Because
firewall policies that use "all" or "any" as the address create many
intersections, Fortinet recommends that you ignore them.

Enable Central NAT merge(SRX only) Specifies whether FortiConverter converts NATs to FortiGate
central NATs instead of policy-based NATs.

NAT Merge Depth

FortiConverter Admin Guide Fortinet Technologies Inc.

Juniper conversions - new application 76

SourceNAT Specifies which types of NAT FortiConverter merges with the output
firewall policies, or whether FortiConverter performs NAT merge
based on object names or values.
l Off – FortiConverter converts firewall policies only and doesn't
perform NAT merge for this type of NAT. This is useful for
performing a quick, initial conversion to discover any conversion
issues.
Static NAT l Object Names – FortiConverter performs NAT merge based on
matching address names in firewall policies and NAT rules.
l Object Values – FortiConverter performs NAT merge based on
matching address values in firewall policies and NAT rules. It
generates the most accurate matching of NAT rules and
policies, but in most cases, it also generates more NAT
policies.
Destination NAT Because it can take FortiConverter several hours to complete a
conversion that include a large number of NAT rules, Fortinet
recommends that you turn off or limit NAT merge for your initial
conversion. Then, resolve any issues with the conversion before you
run it again with NAT merge enabled. For more information,
including example matches, see NAT merge options on page 156.

LSYS (Junos OS) or VSYS (ScreenOS) selection

Map the logical or virtual systems in the source configuration to VDOMs in the output configuration.
By default, all logical or virtual systems are mapped to VDOMs with the same name. You can modify this
default mapping as required by renaming VDOMs and removing logical or virtual systems from the conversion.

Setting Description

Enable VDOM Select to enable VDOMs (add config global and config vdom syntax) to the
output config.

[trash] Click to delete the selected mapping item.

Removed vdom Select a removed VDOM and click Add to add it back into VDOM list.

Information of Source configuration file names are shown in the table as a link. Click the link to see
Configurations the content. The file won’t show if it’s too large.

Source The numbers of each type of firewall object are shown in the previous table. Click the
Configuration object number to see detailed information on each object.
Preview

Juniper Interface mapping

You can manually map the interface.

FortiConverter Admin Guide Fortinet Technologies Inc.

Juniper conversions - new application 77

l To select the appropriate FortiGate interface, click the value in the FortiGate Interface column, and then
select a value or enter a custom interface name.
l To edit other values, double-click the proper column. Use the toolbar icon on the right to show and hide
columns. You can also use the Tuning page to create mappings after the conversion is complete.
l To import a set of interface mappings from a file, click Import.
l To download the current set of interface mappings, click Export.
l To delete an interface, select the entry and click Delete Selected. This is useful if your target FortiGate
has fewer interfaces than the source configuration.

Setting Description

VDOM Shows the virtual domains used in the conversion.

Source Interface Shows each interface on the Cisco firewall.

FortiGate Shows the corresponding FortiGate interface. Click to assign a FortiGate port for each
Interface interface.

Members Shows any members, if they are set.

IP-Netmask Shows the IP address and netmask of the connection.

Type Shows the type of interface.

Access Shows which protocols has permission to access each interface.

Import Click to load a set of interface mappings from a text file.

Export Saves the current set of interface mappings to a text file.

Delete Selected Click to delete the selected mapping item.

Juniper Route Information

FortiConverter creates static routes in the output using the static routes it detects in the source configuration
and any routing information you provide.
Double-click an item to edit it.

Setting Description

New Route Click to add a route.

Delete Click to delete the selected route.

Juniper Conversion result

Tab Description

Conversion Summary Provides statistics about the conversion.

VDOM Mapping Shows how VDMS were mapped from the source device to the new device.

FortiConverter Admin Guide Fortinet Technologies Inc.

Juniper conversions - new application 78

Interface Mapping Shows how interfaces were mapped for each VDOM from the source device.

Device Summary Provides statistics about the detected objects.

FortiConverter includes error and warning messages into the conversion when an error
occurs.
Review the config-all.txt file after each conversion for errors. These errors and
warning messages might cause the import process to fail, if not corrected. See for
more details.

FortiConverter Admin Guide Fortinet Technologies Inc.

McAfee conversion 79

McAfee conversion

StoneSoft differences

VPNs

StoneSoft VPNs aren’t converted.

Firewall clusters

Firewall clusters aren’t converted.

If a policy contains a firewall cluster, either remove or reconfigure the policy to remove the cluster. Other
firewall cluster related configurations, such as routing nodes, aren’t converted.

Saving the McAfee source configuration file

Before starting the conversion wizard:McAfee, save a copy of your configuration file to the computer where
FortiConverter is installed.

If you encounter problems with your StoneSoft configuration file, send it to

FortiConverter support at [email protected]. The FortiConverter team
will help improve your conversion for you.

The following is for McAfee Firewall Enterprise 7.0.1. The config is binary therefore the output of the
following commands must be saved to a text file for FortiConverter.
l Interface and Zone (cf interface|zone|zonegroup query)
l Address object and address group object (cf domain|ipaddr|iprange|subnet|netgroup
query)
l Service object and service group object (cf service|servicegroup query)
l Admin users and firewall users &amp; user groups (cf adminuser query, cf udb query, cf
usergroup query)
l Static routes (cf static query)
l Firewall Policy (cf policy query)

FortiConverter Admin Guide Fortinet Technologies Inc.

McAfee conversion 80

McAfee conversion wizard

The administrator password is not set on the new configuration.

For third-party conversions, the trusted host settings are converted. Check the trusted
host settings to ensure they allow management access from the relevant network
interfaces.

McAfee Start options

This table lists the start settings.

Setting Description

Model Select the model of the source configuration.

Output Format FortiGate is the only supported output.

Output OS Version FortiOS 5.6 and 6.0 have different configuration

syntaxes. Select the version that corresponds to the
FortiOS version on the target.

Discard unreferenced firewall objects Specifies whether addresses, schedules, and

services that aren't referenced by a policy are saved
and added to the output. This option can be useful if
your target device has table size limitations. You
can view the unreferenced objects that
FortiConverter removed on the Conversion Result
page.

Include input configuration lines for each Specifies whether FortiConverter includes the input
output policy configuration lines used for each FortiGate policyin
the FortiGate configuration as a policy comment.

Adjust table sizes You can customize the maximum table sizes that
FortiMonitor uses when Adjust table sizes is
selected. For more information, see Adjusting table
sizes on page 155.

Output Directory Select the folder where FortiConverter saves the

output configuration.

McAfee Source Configuration

Ensure the configuration is in a text format. FortiConverter can't use binary files.

FortiConverter Admin Guide Fortinet Technologies Inc.

McAfee conversion 81

Setting Description

Source Configuration Click to navigate to the domain source configuration file.

VSYS selection

Map the virtual systems in the source configuration to VDOMs in the output configuration.
You can select multiple items from the list:
l To select multiple items, use Ctrl + click.
l To select contiguous items, use Shift + click.

Setting Description

Enable VDOM Select to enable VDOMs (add config global and config vdom
syntax) to the output config.

Add Click to add a mapping item after you have deleted one.

Delete Click to delete a mapping item.

McAfee Interface mapping

You can manually map the interface.

To select the appropriate FortiGate interface, click the value in the FortiGate Interface column, and then select
a value or enter a custom interface name.
To edit other values in the Interface Mapping dialog box, including changing the interface from physical to
aggregate or unspecified, double-click a column other than FortiGate Interface.
The Interface Mapping dialog box allows you to select the following interface types:
l aggregate – Select up to four aggregate interface members. If you need to add additional members, edit
the set members interface setting in the output configuration or use the FortiOS web UI to add
interfaces after you import the configuration.
l unspecified – FortiConverter uses the interface name in the conversion, but ignores the type and other
attributes, which provides a name-to-name mapping without interface configuration.
l For example, you can create resources such as VLANs, LAGs, and inter-VDOM links on the target
FortiGate device before you import the conversion, and then reference those interfaces in the physical
interface mapping.
You can also use the Tuning page to create mappings, such as physical to VLAN, after the conversion is
complete.
To delete an interface, select the entry and click Delete. This is useful if your target FortiGate has fewer
interfaces than the source configuration.

FortiConverter Admin Guide Fortinet Technologies Inc.

McAfee conversion 82

Setting Description

FortiGate Interface Click to assign a FortiGate port for each interface.

(table column) Enter a port name or custom text.

Import from file Click to load a set of interface mappings from a text file.

Export current mappings Saves the current set of interface mappings to a text file.

Add Click to add a mapping item.

Edit Click to edit additional properties for the selected mapping item.

Delete Click to delete the selected mapping item.

McAfee Route Information

FortiConverter creates static routes in the output using the static routes it detects in the source configuration
and any routing information you provide.
Double-click an item to edit it.

Setting Description

Add Click to add a route.

Edit Click to edit the selected route.

Delete Click to delete the selected route.

McAfee Conversion result

Tab Description

Conversion Summary Provides statistics about the conversion.

Policies Detected & Policies Created Allows you to view and compare the number of objects that
detected in the source configuration and the ones it created
for the output configuration.

Messages & Warnings Allows you to review any objects that FortiConverter did not
include in the conversion. If you enabled Discard
unreferenced firewall objects on the Start Page, this tab
displays the objects that removed.

Some columns can be selected, sorted, and filtered.

Setting Description

View in HTML Generates an HTML page of the conversion result.

Go to Output Opens the output folder .

Go to Tuning Opens the tuning page. See Tuning the output on page 119

FortiConverter Admin Guide Fortinet Technologies Inc.

McAfee conversion 83

Go to Report Opens a detailed conversion report that includes a list of converted objects and
policies and displays lines from the source configuration that FortiConverter did
not convert.

For more information, see Viewing the results of your automatic conversion on page 134

FortiConverter includes error and warning messages into the conversion when an error
occurs.
Review the config-all.txt file after each conversion for errors. These errors and
warning messages might cause the import process to fail, if not corrected. See for
more details.

FortiConverter Admin Guide Fortinet Technologies Inc.

Palo Alto Networks conversion - new application 84

Palo Alto Networks conversion - new application

Conversion support

FortiConverter supports the following features

l Interface
l Zone
l Address(group) (Including IPV6)
l Service(group)
l Policy
l NAT (Rule NAT only)
l VPN
l Route
l Schedule
l User

Saving the PAN source configuration files

Before starting the conversion wizard:Palo Alto, save a copy of your configuration file to the computer where
FortiConverter is installed.
In the web UI, go to Device > Setup > Operations, then click Export named configuration snapshot.
If the configuration is managed using Panorama shared policy configuration, you should disable shared
configuration before exporting.

To disable Panorama shared configuration

1. Log in to the device you want to remove from Panorama.

2. Go to Device > Setup > Management > Panorama Settings and click Disable Panorama Policy
and Object or Disable Device and Network Template.

FortiConverter Admin Guide Fortinet Technologies Inc.

Palo Alto Networks conversion - new application 85

3. Do one of the following to import the configuration from Panorama into the firewall local configuration:
l If you clicked Disable Panorama Policy and Object, in the edit dialog box, select Import
Panorama Policy and Objects before disabling and then click OK.

l If you clicked Disable Device and Network Template, select Import Device and Network

FortiConverter Admin Guide Fortinet Technologies Inc.

Palo Alto Networks conversion - new application 86

Template before disabling and then click OK.

4. Log in to the device that was removed from Panorama and go to Device > Setup > Operations > Save
> Save named configuration snapshot.
5. Enter a name that helps to identify the configuration. In this example, it is pan2fg.

6. Go to Device > Setup > Operations > Export > Export the named configuration snapshot.

FortiConverter Admin Guide Fortinet Technologies Inc.

Palo Alto Networks conversion - new application 87

7. Click OK.
Select the exported file on the Source Configuration page of the Palo Alto conversion wizard.

Palo Alto conversion wizard

The administrator password is not set on the new configuration.

For third-party conversions, the trusted host settings are converted. Check the trusted
host settings to ensure they allow management access from the relevant network
interfaces.

To start a new conversion

1. Start FortiConverter.
2. When start-up is complete, a browser window automatically opens to http://127.0.0.1:8000.

3. Click New Conversion, located at the top right corner.

4. Enter a name for the conversion configuration.
5. For Vendor, choose PaloAlto from the drop-down list.
6. Choose a Model, if applicable.
7. Click OK.
The configuration page opens to the Start page, and you can input your settings.

FortiConverter Admin Guide Fortinet Technologies Inc.

Palo Alto Networks conversion - new application 88

Palo Alto Start options

This table lists the start settings.

Setting Description

Profile

Description Enter a description of the configuration.

Output Options

Output Format Select the appropriate output for your target Fortinet
device.

FOS Version FortiOS 5.6 and 6.0 have different configuration

syntaxes. Select the version that corresponds to the
FortiOS version on the target.

Input

Source Configuration Select the input file.

Conversion Options

Discard unreferenced firewall objects Specifies whether addresses and services that aren't
referenced by a policy are saved and added to the
output. This option can be useful if your target device
has table size limitations. You can view the
unreferenced objects that FortiConverter removed on
the Conversion Result page.

Adjust Service Table Capacity Size You can customize the maximum table sizes that
FortiConverter uses when Adjust table sizes is selected.
For more information, see Adjusting table sizes on page
155.

Comment Options

Include input configuration lines for each Specifies whether FortiConverter includes the input
output policy configuration lines used for each FortiGate policy in the
FortiGate configuration as a policy comment.

Interface Comment Specifies whether FortiConverter copies the interface

comment from the source configuration to the mapped
FortiGate interface.

Address Comment Specifies whether FortiConverter copies the address

comment from source configuration to the converted
FortiGate address.

Service Comment Specifies whether FortiConverter copies the service

comment from the source configuration to converted
FortiGate service.

FortiConverter Admin Guide Fortinet Technologies Inc.

Palo Alto Networks conversion - new application 89

Nat Merge Options

Ignore firewall policies with all or any Specifies whether FortiConverter ignores firewall
addresses when processing NAT rules policies with an "all" or "any" address when it merges a
NAT rule and a firewall policy to create a FortiGate NAT
policy. FortiConverter creates new policies in the output
configuration based on where NAT rules to firewall
policies intersect. Because firewall policies that use "all"
or "any" as the address create many intersections,
Fortinet recommends that you ignore them.

Enable central NAT merge Specifies whether FortiConverter converts NATs to

FortiGate central NATs instead of policy-based NATs. It
is recommended to enable this option with FOS 6.0.

PAN Source Configuration

Source Preview

Setting Description

Information of Configurations Source configuration file names are shown in

the table as a link. Click the link to see the
content. The file won’t show if it’s too large.

Source Configuration Preview The numbers of each type of firewall object are
shown in Palo Alto Start options on page 88.
Click the object number to see detailed
information on each object.

Palo Alto Interface mapping

You can manually map the interface.

l To select the appropriate FortiGate interface, click the value in the FortiGate Interface column, and then
select a value or enter a custom interface name.
l To edit other values, double-click the proper column. Use the toolbar icon on the right to show and hide
columns. You can also use the Tuning page to create mappings after the conversion is complete.
l To import a set of interface mappings from a file, click Import.
l To download the current set of interface mappings, click Export.
l To delete an interface, select the entry and click Delete Selected. This is useful if your target FortiGate
has fewer interfaces than the source configuration.

Setting Description

VDOM Shows the virtual domains used in the conversion.("root" by default)

Source Interface Shows each interface name on the PaloAlto firewall.

FortiConverter Admin Guide Fortinet Technologies Inc.

Palo Alto Networks conversion - new application 90

FortiGate Shows the corresponding FortiGate interface. Click to assign a FortiGate port for each
Interface interface.

Members Shows any members, if they are set.

IP-Netmask Shows the IP address and netmask of the connection.

Type Shows the type of interface.

Access Shows which protocols has permission to access each interface.

Import Click to load a set of interface mappings from a text file.

Export Saves the current set of interface mappings to a text file.

Delete Selected Click to delete the selected mapping item.

Palo Alto Route Information

FortiConverter creates static routes in the output using the static routes it detects in the source configuration
and any routing information you provide.
Double-click an item to edit it.

Setting Description

New Route Click to add a route.

Delete Click to delete the selected route.

Palo Alto Conversion result

Tab Description

Conversion Summary Provides statistics about the conversion.

Interface Mapping Shows how interfaces were mapped for each VDOM from the source device.

Device Summary Provides statistics about the detected objects.

FortiConverter includes error and warning messages into the conversion when an error
occurs.
Review the config-all.txt file after each conversion for errors. These errors and
warning messages might cause the import process to fail, if not corrected. See for
more details.

FortiConverter Admin Guide Fortinet Technologies Inc.

Snort conversion - new application 91

Snort conversion - new application

Snort conversion wizard

Basic outline of a snort rule

[action][protocol][sourceIP][sourceport] -> [destIP][destport] ( [Rule options] )
| ---------------- Rule Header ------------------------------- |- Rule Options - |

SNORT rule example

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH

Adobe Flash Player ActionScript virtual machine opcode verifying code
execution attempt"; flow:to_client,established; flowbits:isset,file.swf;
file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 92 90 4E|";
fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips
drop, policy security-ips drop, service ftp; reference:cve,2012-5271;
reference:url,adobe.com/support/security/bulletins/apsb12-22.html;
classtype:attempted-user; sid:24874; rev:3;)

FGT custom IPS signature

config ips custom

edit "S24874R3"
set signature "F-SBID(--name \"S24874R3\"; --protocol tcp; --service FTP; --flow
from_server; --tag test,file.swf; --pattern \"|01 09 0A 2E D0 30 D0 5D 04 4A
04 00 68 01 D0 92 90 4E|\";)"
set action block
set status enable
set log enable
set comment ''
next
end

"action" field

Supported keyword
alert

Unsupported keyword
log

"protocol" field

Supported keyword
tcp/udp/ip/icmp/HTTP/FTP/POP3/SMTP/TELNET/SSH/IMAP/SNMP/RADIUS

FortiConverter Admin Guide Fortinet Technologies Inc.

Snort conversion - new application 92

HTTP/FTP/POP3/SMTP/TELNET/SSH/IMAP ->; tcp

SNMP/RADIUS ->; udp

"sourceIP", "sourceport", "destIP" and "destport" fields

Supported keyword
Either "any" or "$xxxx" variable

"Rule options" field

Supported keywords

Option Test input Test output

byte_test byte_test:1,!&,0xF8,2; --byte_test 1,~,0xF8,2;

byte_jump byte_jump:4,-10,relative,little; --byte_jump 4,-10,little,relative;

threshold threshold:type limit, track by_src, count 1, --track SRC_IP; --rate 1,60;
seconds 60;

nocase nocase; --no_case;

isdataat isdataat:50,relative; --data_at 50,relative;

http_raw_uri http_raw_uri; --context uri;

http_raw_ http_raw_cookie; --context header;

cookie

http_raw_ http_raw_header; --context header;

header

http_stat_ http_stat_code; --context banner;

code

http_stat_msg http_stat_msg; --context banner;

sip_header sip_header; --context header;

sip_body sip_body; --context body;

id id:123456; --ip_id 123456;

dsize dsize:<400; --data_size <400;

ipopts ipopts:lsrr; --ip_option lsrr;

flags flags:SF,CE; --tcp_flags SF,CE;

seq seq:0; --seq 0;

ack ack:0; --ack 0;

window window:55808; --window_size 55808;

itype itype:>30; --icmp_type >30;

icode icode:>30; --icmp_code >30;

FortiConverter Admin Guide Fortinet Technologies Inc.

Snort conversion - new application 93

icmp_id icmp_id:0; --icmp_id 0;

icmp_seq icmp_seq:0; --icmp_seq 0;

rpc rpc:100000, *, 3; --rpc_num 100000, *, 3;

sameip sameip; --same_ip;

ttl ttl:<3; --ip_ttl <3;

tos tos:!4; --ip_tos !4;

content content:"OK LOGIN"; --pattern \"OK LOGIN\";

flowbits flowbits:set,logged_in; flowbits:noalert; --tag set,logged_in; --tag quiet;

flow flow:to_server,established; --flow from_client;

pcre pcre:"/^User-Agent\x3A[^\r\n]*malware/miH"; --pcre \"/^User-Agent\x3A

[^\r\n]*malware/mi\";

uricontent uricontent:"testurl"; --pattern "testurl"; --context uri;

ip_proto ip_proto:igmp; --protocol igmp;

depth depth:8; --within 8,packet;

offset offset:4; --distance 4,packet;

within within:10; --within 10;

distance distance:4; --distance 4;

http_client_ http_client_body; --context body;

body

http_cookie http_cookie; --context header;

http_method http_method; --context uri;

urilen urilen:5; --data_size 5,uri;

metadata metadata:impact_flag red, service dns; --service DNS;

sid sid:19644; --name \"S19644R4\";

rev rev:4; --name \"S19644R4\";

byte_extract byte_extract:1, 0, str_offset; --extract 1,0,$0;

rawbytes rawbytes; --context packet_origin;

msg msg:"Bad Stuff detected within field"; et comment "Bad Stuff detected within
field"

file_data file_data; --context file;

pkt_data pkt_data; --context packet;

detection_ detection_filter:track by_src, count 30, seconds --rate 30,60; --track SRC_IP;
filter 60;

Unsupported keywords:

FortiConverter Admin Guide Fortinet Technologies Inc.

Snort conversion - new application 94

Option Test input

replace

stream_reassemble

stream_size

cvs

ftpbounce

asn1

fragbits

fragoffset

base64_decode

base64_data

sip_method

sip_stat_code

gtp_type

gtp_info

gtp_version

ssl_state

reference

classtype

priority

gid

fast_pattern

logto

session

resp

react

tag

activites

activites_by

http_encode

count

FortiConverter Admin Guide Fortinet Technologies Inc.

Snort conversion - new application 95

dce_iface

dce_opnum

dce_stub_data

metadata

protected_content

hash

length

modbus_func

dnp3_ind

Snort Start options

This table lists the start settings.

Setting Description

Profile

Description Enter a description of the configuration.

Input

Snort Rules Select the input file.

Snort Variable Definition Select the file that defines IPS and port files. Undefined variables
(optional) will be converted into "any".

Conversion Options

Add extra backslash "\" for FortiConverter adds an extra back slash for special characters in the
special characters conversion.

Convert annotated rules as status Select to disable rules that are annotated in the source
disable configuration.

Convert Snort rule's "msg" field Preserve "msg" fields as comment in rules.
to comment

Source Preview

This page shows the information inside the configuration.

FortiConverter Admin Guide Fortinet Technologies Inc.

Snort conversion - new application 96

Setting Description

IP Variables The definitions of IP variables parsed from the variable definition file.

Port Variables The definitions of port variables parsed from the variable definition file.

Snort IPS Signature IPS signatures parsed from the input Snort rule files.

Snort Conversion result

Tab Description

Snort IPS Signature Shows variable definitions and Snort IPS signature contents.

FortiGate IPS Signature Shows converted FortiGate IPS signatures.

FortiConverter Admin Guide Fortinet Technologies Inc.

SonicWall conversion - new application 97

SonicWall conversion - new application

The conversions in this section uses the new FortiConverter application.

For more information on new features available with the new application, see New application features on page
157

SonicWall differences

Special characters

FortiGate reserves '#' (hash sign), '(', and ')' (open and close curved brackets) as special characters. You can't
use them in the configuration unless an escape sequence precedes them. FortiConverter replaces these
characters with the characters: '*' (star), '[' and ']' (open and close square brackets).
Examples:
l The address book "SNWL #1" becomes "SNWL *1".
l The service book "Citrix TCP (Session Reliability)" becomes "Citrix TCP [Session Reliability]".

Address book configuration

l On FortiGate address objects don't support MAC addresses. Therefore, the wizard doesn't migrate
SonicWall MAC addresses.
l FortiConverter generates two extra address book entries: "Any" and "_Address_Null".
l "Any" is added because it is a default address book in SonicWall.
l FortiConverter generates "_Address_Null" because FortiGate address groups don't allow a group without
any members. Only empty address groups can refer to "_Address_Null".

FortiConverter Admin Guide Fortinet Technologies Inc.

Service book configuration 98

Service book configuration

FortiConverter doesn't migrate SonicWall service objects that are predefined on FortiGate. For example, HTTP
port 80 and HTTPS port 443.

Schedule configuration

l A SonicWall schedule group can contain only one "one-time" schedule and multiple "recur" schedules. The
"one-time" schedule is an implicit object that you can embed in the schedule group. Because FortiGate
defines each schedule group explicitly, FortiConverter automatically generates "one-time" schedules for
the SonicWall implicit schedules.
l FortiGate time schedule configuration doesn't support "24:00" (equal to the next day’s 00:00). It uses
"00:00" instead. When FortiConverter converts a SonicWall "recur" time schedule such as "M 00:00 to
24:00", it sets the end time to "00:00".

Local User and User Group

l Because FortiConverter can't parse the local user’s password string, it sets all passwords to "123456".
l Unlike FortiConverter, SonicWall allows you to nest user groups.
For example, in SonicWall, usergroup1 can be a member of usergroup1. FortiConverter removes any nested
configurations.

Route configuration

l FortiConverter doesn't convert automatically generated routes like connected route and host route.

Saving the SonicWall source configuration file

Before starting the conversion wizard:SonicWall, save a copy of your configuration file to the computer where
FortiConverter is installed.
In the web UI, go to System > Settings > Export Settings to export the settings file.

FortiConverter Admin Guide Fortinet Technologies Inc.

Service book configuration 99

SonicWall conversion wizard

The administrator password is not set on the new configuration.

For third-party conversions, the trusted host settings are converted. Check the trusted
host settings to ensure they allow management access from the relevant network
interfaces.

To start a new conversion

1. Start FortiConverter.
2. When start-up is complete, a browser window automatically opens to http://127.0.0.1:8000.

3. Click New Conversion, located at the top right corner.

4. Enter a name for the conversion configuration.
5. For Vendor, choose SonicWall from the drop-down list.
6. Choose a Model, if applicable.
7. Click OK.
The configuration page opens to the Start page, and you can input your settings.

SonicWall Start options

This table lists the start settings.

Setting Description

Profile

Description Enter a description of the configuration.

Output Options

Output Format Select the appropriate output for your target Fortinet device.

FOS Version FortiOS 5.6 and 6.0 have different configuration syntaxes. Select
the version that corresponds to the FortiOS version on the target.

Input

Source Configuration Select the input file.

Conversion Options

Discard unreferenced firewall Specifies whether addresses, schedules, and services that aren't
objects referenced by a policy are saved and added to the output.
This option can be useful if your target device has table size
limitations. You can view the unreferenced objects that
FortiConverter removed on the Conversion Result page.

FortiConverter Admin Guide Fortinet Technologies Inc.

Service book configuration 100

Adjust Service Table Capacity Size You can customize the maximum table sizes that FortiConverter
uses when Adjust table sizes is selected. For more information, see
Adjusting table sizes on page 155.

Comment Options

Include input configuration lines Specifics whether FortiConverter uses SW_RULE_ID as policy
for each output policy comment for each FortiGate policy or the original comment from
rules in SonicWall configuration.

NAT Merge Options

Ignore firewall policies with all or Specifies whether FortiConverter ignores firewall policies with an
any addresses "all" or "any" address when it merges a NAT rule and a firewall policy
to create a FortiGate NAT policy. FortiConverter creates new
policies in the output configuration based on where NAT rules to
firewall policies intersect. Because firewall policies that use "all" or
"any" as the address create many intersections, Fortinet
recommends that you ignore them.

Enable Central NAT merge Specifies whether FortiConverter converts NATs to FortiGate
central NATs instead of policy-based NATs

Nat Merge Depth

Identical NAT Specifies which types of NAT FortiConverter merges with the
Source NAT output firewall policies, or whether FortiConverter performs NAT
Destination NAT merge based on object names or values.
l Off -FortiConverter converts firewall policies only and doesn't
Double NAT
perform NAT merge for this type of NAT. This is useful for
performing a quick, initial conversion to discover any
conversion issues.
l Object Names–FortiConverter performs NAT merge based on
matching address names in firewall policies and NAT rules.
l Object Values–FortiConverter performs NAT merge based on
matching address values in firewall policies and NAT rules. It
generates the most accurate matching of NAT rules and
policies, but in most cases, it also generates more NAT
policies.

SonicWall Source Configuration

Source Preview

Setting Description

Information Source configuration file names are shown in the

table.

FortiConverter Admin Guide Fortinet Technologies Inc.

Service book configuration 101

Source Configuration Preview The number of each type of firewall object are
shown in the previous table. Click the object
number to see detailed information about each
object.

SonicWall Interface mapping

You can manually map the interface.

l To select the appropriate FortiGate interface, click the value in the FortiGate Interface column, and then
select a value or enter a custom interface name.
l To edit other values, double-click the proper column. Use the toolbar icon on the right to show and hide
columns. You can also use the Tuning page to create mappings after the conversion is complete.
l To import a set of interface mappings from a file, click Import.
l To download the current set of interface mappings, click Export.
l To delete an interface, select the entry and click Delete Selected. This is useful if your target FortiGate
has fewer interfaces than the source configuration.

Setting Description

VDOM Shows the virtual domains used in the conversion.

Source Interface Shows each interface on the SonicWall firewall.

FortiGate Shows the corresponding FortiGate interface. Click to assign a FortiGate port for each
Interface interface.

Members Shows any members, if they are set.

IP-Netmask Shows the IP address and netmask of the connection.

Type Shows the type of interface.

Access Shows which protocols has permission to access each interface.

Import Click to load a set of interface mappings from a text file.

Export Saves the current set of interface mappings to a text file.

Delete Selected Click to delete the selected mapping item.

SonicWall Route Information

FortiConverter creates static routes in the output using the static routes it detects in the source configuration
and any routing information you provide.
Double-click an item to edit it.

Setting Description

FortiConverter Admin Guide Fortinet Technologies Inc.

Service book configuration 102

New Route Click to add a route.

Delete Click to delete the selected route.

SonicWall Conversion result

Tab Description

Conversion Summary Provides statistics about the conversion.

VDOM Mapping Shows how VDMS were mapped from the source device to the new device.

Interface Mapping Shows how interfaces were mapped for each VDOM from the source device.

Device Summary Provides statistics about the detected objects.

FortiConverter includes error and warning messages into the conversion when an error
occurs.
Review the config-all.txt file after each conversion for errors. These errors and
warning messages might cause the import process to fail, if not corrected. See for
more details.

FortiConverter Admin Guide Fortinet Technologies Inc.

Sophos conversion - new application 103

Sophos conversion - new application

Sophos Networks differences

Conversion support

FortiConverter supports the following features:

l Interface
l Zone
l Address
l Address group
l Service
l Service group
l User
l User group
l Policy
l Route
VPN and route conversions are not currently supported. NAT rules are not converted, but MASQ in policies can
be converted into SNAT of interface in policies.

Saving the Sophos source configuration files

Before starting the conversion wizard, save a copy of your Sophos configuration file to the computer where
FortiConverter is installed.

To save the source configuration files

1. In the web UI, go to Backup & Firmware.

2. Click Import Export.
3. Select Export full configurations in block Export.
4. Click Export and save the configuration file, which should be XML-formatted.

Sophos conversion wizard

To start a new conversion

1. Start FortiConverter.
2. When start-up is complete, a browser window automatically opens to http://127.0.0.1:8000.

FortiConverter Admin Guide Fortinet Technologies Inc.

Sophos conversion - new application 104

3. Click New Conversion, located at the top right corner.

4. Enter a name for the conversion configuration.
5. For Vendor, choose Sophos from the drop-down list.
6. Choose a Model, if applicable.
7. Click OK.
The configuration page opens to the Start page, and you can input your settings.

Sophos Start options

This table lists the start settings.

Setting Description

Profile

Description Enter a description of the configuration.

Output Options

Output Format Select the appropriate output for your target Fortinet device.

FOS Version FortiOS 5.6 and 6.0 have different configuration syntaxes. Select
the version that corresponds to the FortiOS version on the target.

Input

Source Configuration Select the input file.

Conversion Options

Discard unreferenced firewall Specifies whether addresses and services that aren't referenced
objects by a policy are saved and added to the output. This option can be
useful if your target device has table size limitations. You can
view the unreferenced objects that FortiConverter removed on
the Conversion Result page.

Adjust Service Table Capacity Size You can customize the maximum table sizes that FortiConverter
uses when Adjust table sizes is selected. For more information,
see Adjusting table sizes on page 155.

Comment Options

Service Group Comment Specifies whether FortiConverter copies the service group
comment from the source configuration to the FortiGate service
group.

Source preview

This table shows the information inside the configuration.

FortiConverter Admin Guide Fortinet Technologies Inc.

Sophos conversion - new application 105

Setting Description

Information of Configurations Source configuration file names are shown in the table as a
link. Click the link to see the content. The file won’t show if
it’s too large.

Source Configuration Preview The number of each type of firewall object are shown in
Sophos Start options on page 104 table. Click the object
number to see detailed information about each object.

Sophos Interface mapping

You can manually map the interface.

l To select the appropriate FortiGate interface, click the value in the FortiGate Interface column, and then
select a value or enter a custom interface name.
l To edit other values, double-click the proper column. Use the toolbar icon on the right to show and hide
columns. You can also use the Tuning page to create mappings after the conversion is complete.
l To import a set of interface mappings from a file, click Import.
l To download the current set of interface mappings, click Export.
l To delete an interface, select the entry and click Delete Selected. This is useful if your target FortiGate
has fewer interfaces than the source configuration.

Setting Description

VDOM Shows the virtual domains used in the conversion. ("root" by default)

Source Interface Shows each interface on the Sophos firewall.

FortiGate Shows the corresponding FortiGate interface. Click to assign a FortiGate port for each
Interface interface.

Members Shows any members, if they are set.

IP-Netmask Shows the IP address and netmask of the connection.

Type Shows the type of interface.

Access Shows which protocols has permission to access each interface.

Import Click to load a set of interface mappings from a text file.

Export Saves the current set of interface mappings to a text file.

Delete Selected Click to delete the selected mapping item.

Sophos Route Information

FortiConverter creates static routes in the output using the static routes it detects in the source configuration
and any routing information you provide.
Double-click an item to edit it.

FortiConverter Admin Guide Fortinet Technologies Inc.

Sophos conversion - new application 106

Setting Description

New Route Click to add a route.

Delete Click to delete the selected route.

Sophos conversion result

Tab Description

Conversion Summary Provides statistics about the conversion.

Interface Mapping Shows how interfaces are mapped for each VDOM from the source device.

Device Summary Provides statistics about the detected objects.

FortiConverter includes error and warning messages into the conversion when an error
occurs.
Review the config-all.txt file after each conversion for errors. These errors and
warning messages might cause the import process to fail, if not corrected. See for
more details.

FortiConverter Admin Guide Fortinet Technologies Inc.

Tipping Point conversion 107

Tipping Point conversion

Tipping Point differences

Interface and schedule conversion

Source interfaces and destination interfaces are set to "any" after conversion.
Schedules are set to "always" in all policies after conversion.

Action Set

If "Block" or "Drop" appears in an action set, the FortiGate policy strAction is set to "deny". Otherwise,
the policy is set to "accept".
If "rsyslog" is found in an action set, the FortiGate policy strLogTraffic is set to "enable". Otherwise, it
is disabled.

Ignored fields

The following fields are parsed but ignored:

l Zone
l Users
l Apps
l Security
l Reputation
l Install On

Saving the Tipping Point source configuration file

Before starting the conversion wizard:Tipping Point, save a copy of your configuration file to the computer
where FortiConverter is installed.

If you encounter problems with your TippingPoint configuration file, send

it to FortiConverter support at [email protected]. The
FortiConverter team will help improve your conversion for you.

FortiConverter Admin Guide Fortinet Technologies Inc.

Tipping Point conversion 108

To download addresses and address groups

1. Click the Admin tab, located at the top.

2. Click Named resources.
3. Click the address or address group.
4. Press Ctrl + A to select all.
5. Copy and paste the selected address or address group to a text file.
6. Repeat for all other addresses or address groups.

To download service and service groups

1. Click the Profile tab, located at the top.

2. Click Expand profiles.
3. Click on Shared settings.
4. Click on the service or service group.
5. Press Ctrl + A to select all.
6. Copy and paste the selected service or service group to a text file.
7. Repeat for all other services and service groups.

To download policies

1. Click the Profile tab, located at the top.

2. Click Firewall profiles.
3. Select a policy from the list.
4. Click on an item.
5. Press Ctrl + A to select all.
6. Copy and paste the policy to a text file.
7. Repeat for all other policies.

Tipping Point conversion wizard

The administrator password is not set on the new configuration.

For third-party conversions, the trusted host settings are converted. Check the trusted
host settings to ensure they allow management access from the relevant network
interfaces.

Tipping Point Start options

This table lists the start settings.

FortiConverter Admin Guide Fortinet Technologies Inc.

Tipping Point conversion 109

Setting Description

Model IPS is the only model supported.

Output Format FortiGate is the only supported output.

Output OS Version FortiOS 5.6 and 6.0 have different configuration

syntaxes. Select the version that corresponds to the
FortiOS version on the target.

Discard unreferenced firewall objects Specifies whether addresses, schedules, and services
that are not referenced by a policy are saved and
added to the output. This option can be useful if your
target device has table size limitations. You can view
the unreferenced objects that FortiConverter removed
on the Conversion Result page.

Include input configuration lines for each Specifies whether FortiConverter includes the input
output policy configuration lines used for each FortiGate policy in
the FortiGate configuration as a policy comment.

Adjust table sizes You can customize the maximum table sizes that
FortiMonitor uses when Adjust table sizes is
selected. For more information, see Adjusting table
sizes on page 155.

Output Directory Select the folder where FortiConverter saves the

output configuration.

Tipping Point Source Configuration

Ensure the configuration is in a text format. FortiConverter can't use binary files.
See Saving the Tipping Point source configuration file on page 107.

Setting Description

Source Configuration Click to navigate to the domain source configuration file.

VSYS selection

Map the virtual systems in the source configuration to VDOMs in the output configuration.
You can select multiple items from the list:
l To select multiple items, use Ctrl + click.
l To select contiguous items, use Shift + click.

Setting Description

Enable VDOM Select to enable VDOMs (add config global and config vdom

FortiConverter Admin Guide Fortinet Technologies Inc.

Tipping Point conversion 110

syntax) to the output config.

Add Click to add a mapping item after you have deleted one.

Delete Click to delete a mapping item.

Tipping Point Interface mapping

To select the appropriate FortiGate interface, click the value in the FortiGate Interface column, and then select
a value or enter a custom interface name.
To edit other values in the Interface Mapping dialog box, including changing the interface from physical to
aggregate or unspecified, double-click a column other than FortiGate Interface.
The Interface Mapping dialog box allows you to select the following interface types:
l aggregate – Select up to four aggregate interface members. If you need to add additional members, edit
the set members interface setting in the output configuration or use the FortiOS web UI to add
interfaces after you import the configuration.
l unspecified – FortiConverter uses the interface name in the conversion, but ignores the type and other
attributes, which provides a name-to-name mapping without interface configuration.
l For example, you can create resources such as VLANs, LAGs, and inter-VDOM links on the target
FortiGate device before you import the conversion, and then reference those interfaces in the physical
interface mapping.
You can also use the Tuning page to create mappings, such as physical to VLAN, after the conversion is
complete.
To delete an interface, select the entry and click Delete. This is useful if your target FortiGate has fewer
interfaces than the source configuration.

Setting Description

FortiGate Interface Click to assign a FortiGate port for each interface.

(table column) Enter a port name or custom text.

Import from file Click to load a set of interface mappings from a text file.

Export current mappings Saves the current set of interface mappings to a text file.

Add Click to add a mapping item.

Edit Click to edit additional properties for the selected mapping item.

Delete Click to delete the selected mapping item.

Tipping Point Route Information

FortiConverter creates static routes in the output using the static routes it detects in the source configuration
and any routing information you provide.

FortiConverter Admin Guide Fortinet Technologies Inc.

Tipping Point conversion 111

Double-click an item to edit it.

Setting Description

Add Click to add a route.

Edit Click to edit the selected route.

Delete Click to delete the selected route.

Tipping Point Conversion result

Tab Description

Conversion Summary Provides statistics about the conversion.

Policies Detected & Policies Created Allows you to view and compare the number of objects
that FortiConverter detected in the source configuration
and the ones it created for the output configuration.

Messages & Warnings Allows you to review any objects that FortiConverter did
not include in the conversion.

If you enabled Discard unreferenced firewall

objects on the Start Page, this tab displays the objects
that FortiConverter removed.

Some columns can be selected, sorted, and filtered

Setting Description

View in HTML Generates an HTML page of the conversion result.

Go to Output Opens the output folder .

Go to Tuning Opens the tuning page. See Tuning the output on page 119

Go to Report Opens a detailed conversion report that includes a list of converted objects and
policies and displays lines from the source configuration that FortiConverter did
not convert.

For more information, see Viewing the results of your automatic conversion on page 134

FortiConverter includes error and warning messages into the conversion when an error
occurs.
Review the config-all.txt file after each conversion for errors. These errors and
warning messages might cause the import process to fail, if not corrected. See for
more details.

FortiConverter Admin Guide Fortinet Technologies Inc.

Vyatta Networks conversion - new application 112

Vyatta Networks conversion - new application

Vyatta Networks (VyOS) differences

Conversion support

FortiConverter supports the following features:

l Interface
l Zone
l Address group
l Service group
l Policy
l Route
NAT and VPN conversions are not currently supported.

Configuration notes

Vyatta does not provide outgoing interface in static route configuration. FortiConverter uses the next-hop
address and the network of each interface to determine the outgoing interface. However, since VPN
conversions are not supported, and tunnel interfaces are not converted, routes to tunnel interfaces cannot be
calculated. The interface fields of those kind of routes are empty in the output field and require you to fill them
manually before the config is imported.

Saving the Vyatta source configuration files

Before starting the conversion wizard, save a copy of your Vyatta configuration file to the computer where
FortiConverter is installed.
1. Use an SSH terminal and connect to the device.
2. Input command "set terminal length 0".
3. Input "show configuration all" and save the output configuration.
Please note that FortiConverter requires the structural configuration file as a valid input. For example:
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
group {
address-group ADDR_GRP1 {
address 10.58.14.15
address 10.58.14.16

FortiConverter Admin Guide Fortinet Technologies Inc.

Vyatta Networks conversion - new application 113

address 10.58.14.17
}
address-group ADDR_GRP2 {
address 10.58.186.41
address 10.58.186.52
}
............
............

Vyatta conversion wizard

To start a new conversion

1. Start FortiConverter.
2. When start-up is complete, a browser window automatically opens to http://127.0.0.1:8000.

3. Click New Conversion, located at the top right corner.

4. Enter a name for the conversion configuration.
5. For Vendor, choose Vyatta from the drop-down list.
6. Choose a Model, if applicable.
7. Click OK.
The configuration page opens to the Start page, and you can input your settings.

Vyatta Start options

This table lists the start settings.

Setting Description

Profile
Description Enter a description of the configuration.

Output Options

Output Format Select the appropriate output for your target Fortinet device.

FOS Version FortiOS 5.6 and 6.0 have different configuration syntaxes.
Select the version that corresponds to the FortiOS version on
the target.

Input

Source Configuration Select the input file.

Conversion Options

Discard unreferenced firewall objects Specifies whether addresses and services that aren't
referenced by a policy are saved and added to the output. This

FortiConverter Admin Guide Fortinet Technologies Inc.

Vyatta Networks conversion - new application 114

option can be useful if your target device has table size

limitations. You can view the unreferenced objects that
FortiConverter removed on the Conversion Result page.

Adjust Service Table Capacity Size You can customize the maximum table sizes that
FortiConverter uses when Adjust table sizes is selected. For
more information, see Adjusting table sizes on page 155.

Comment Options

Include input configuration lines for Specifies whether FortiConverter includes the input
each output policy configuration lines used for each FortiGate policy in the
FortiGate configuration as a policy comment.

Interface Comment Specifies whether FortiConverter copies the interface

comment from the source configuration to the mapped
FortiGate interface.

Address Comment Specifies whether FortiConverter copies the address comment

from source configuration to the converted FortiGate address.

Service Comment Specifies whether FortiConverter copies the service comment

from the source configuration to converted FortiGate service.

Source preview

This table shows the information inside the configuration.

Setting Description

Information of Configurations Source configuration file names are shown in the table as links. Click
the link to see file contents. Files that are too large are not shown.

Source Configuration Preview The number of each type of firewall object are shown in the previous
table. Click the object number to see detailed information about each
object.

Vyatta interface mapping

You can manually map the interface.

l To select the appropriate FortiGate interface, click the value in the FortiGate Interface column, and then
select a value or enter a custom interface name.
l To edit other values, double-click the proper column. Use the toolbar icon on the right to show and hide
columns. You can also use the Tuning page to create mappings after the conversion is complete.
l To import a set of interface mappings from a file, click Import.
l To download the current set of interface mappings, click Export.

FortiConverter Admin Guide Fortinet Technologies Inc.

Vyatta Networks conversion - new application 115

l To delete an interface, select the entry and click Delete Selected. This is useful if your target FortiGate
has fewer interfaces than the source configuration.

Setting Description

VDOM Shows the virtual domains used in the conversion.(“root” by default)

Source Interface Shows each interface name on the Vyatta firewall.

FortiGate Shows the corresponding FortiGate interface. Click to assign a FortiGate port for each
Interface interface.

Members Shows any members, if they are set.

IP-Netmask Shows the IP address and netmask of the connection.

Type Shows the type of interface.

Access Shows which protocols has permission to access each interface.

Import Click to load a set of interface mappings from a text file.

Export Saves the current set of interface mappings to a text file.

Delete Selected Click to delete the selected mapping item.

Vyatta route information

FortiConverter creates static routes in the output by using the static routes it detects in the source
configuration, and any routing information you provide.
Double-click item to edit it.

Setting Description

New Route Click to add a route.

Delete Click to delete the selected route.

Vyatta conversion result

Tab Description

Conversion Summary Provides statistics about the conversion.

Interface Mapping Shows how interfaces were mapped for each VDOM from the source device.

Device Summary Provides statistics about the detected objects.

FortiConverter Admin Guide Fortinet Technologies Inc.

FortiGate configuration migration - new application 116

FortiGate configuration migration - new application

Configuration notes

Configurations that might block device-accessing might be removed by FortiConverter, you might need to
configure these settings manually after the configuration restoration. The settings you should check on are:
l The administrator password
l The IP of interface “mgmt”
l The “accprofile” setting of administrators
l The “trusthost” setting of administrators
For FortiGate conversion, the default maintainer account settings might be overwritten after the configuration
restoration. For example, if the old FortiGate set the default maintainer access to disabled, you should
temporarily enable this maintainer access before the restoration.
config system global
set admin-maintainer enable
end

The conversion output consists of two main parts:

1. The first part is the default configuration of the target device.
2. The second part starts with the commented out line “#migrated config starts”, and follows with the
migrated source configuration.
If you want to modify the output config manually, we suggest you modify only the second because the
definition from the first part will be overwritten by the following definition.

Fortinet conversion wizard

To start a new conversion

1. Start FortiConverter. When start-up is complete, a browser window automatically opens to

http://127.0.0.1:8000.
2. At the top right corner of the window, click New Conversion.
3. Enter a name for the conversion configuration.
4. In the Vendor field, select Fortinet from the drop-down list.
5. Click OK.
The configuration page opens to the Start page, and you can input your settings.

Fortinet Start options

FortiConverter Admin Guide Fortinet Technologies Inc.

FortiGate configuration migration - new application 117

This table lists the start settings.

Setting Description

Profile

Description Enter a description of the configuration.

Input

Source Configuration Select the input file.

Target Device Default FortiConverter needs the default configuration of the target device
Configuration to extract interface or other information of the target device. The
default configuration should contain the same VDOM as those in the
source config. So if the source device contains multiple VDOMs,
users should also create VDOMs with the same name on the target
device before back up the default configuration.

Config information

This page shows the information inside the configuration.

Setting Description

Information of Configurations The device model name and the firmware build information of source
and target devices are shown in this table. Configuration file names are
shown in the table as a link. Click the link to see the content. The file
won’t show if it’s too large.

Detected Messages Some warning or error message detected in the parser would be shown
in this table. If error message occurs, users cannot go further to the next
step. Users should fix the problem in the config file and restart a new
conversion.

Source Configuration Preview The numbers of each type of object are shown in the previous table.

Fortinet interface mapping

You can manually map the interface.

l To select the appropriate FortiGate interface, click the value in the FortiGate Interface column, and then
select a value or enter a custom interface name.
l To edit other values, double-click the proper column. Use the toolbar icon on the right to show and hide
columns. You can also use the Tuning page to create mappings after the conversion is complete.
l To import a set of interface mappings from a file, click Import.
l To download the current set of interface mappings, click Export.
l To delete an interface, select the entry and click Delete Selected. This is useful if your target FortiGate
has fewer interfaces than the source configuration.

FortiConverter Admin Guide Fortinet Technologies Inc.

FortiGate configuration migration - new application 118

Setting Description

VDOM Shows the virtual domains used in the conversion.(“root” by default)

Source Interface Shows each interface name on the source FortiGate device.

FortiGate Interface Shows the corresponding FortiGate interface. Click to assign a port for each
interface.

Members Shows any members, if they are set.

IP-Netmask Shows the IP address and netmask of the connection.

Type Shows the type of interface.

Access Shows which protocols has permission to access each interface.

Import Click to load a set of interface mappings from a text file.

Export Saves the current set of interface mappings to a text file.

Delete Selected Click to delete the selected mapping item.

Fortinet conversion result

Setting Description

Conversion Summary Provides basic information about the conversion.

Device Summary Provides statistics about the detected objects.

FortiConverter Admin Guide Fortinet Technologies Inc.

Tuning the output 119

Tuning the output

Legacy application tuning

Although FortiConverter attempts to automatically convert as much of the source configuration as possible, in
some cases, your input is required to complete the conversion. The Tuning page allows you to tune the results
for your environment. To access the Tuning page, on the Conversion Result page, click Go to Tuning.
When you navigate to the Tuning page for the first time, FortiConverter prompts you to save the current output
(the initial conversion). This backed-up conversion allows you to revert or refer to the initial conversion later, if
needed.
If you are running the trial license, you can use the Tuning page to review your conversion, which is helpful if
you are evaluating FortiConverter.

To quickly view a tuning "snapshot" (a configuration that you exported from the tuning
page earlier), open the wizard for the appropriate vendor, click Tuning on any page,
and then navigate to the snapshot file to import it.

You can add, modify, or delete firewall policies and objects, as well as interfaces and zones. FortiConverter
immediately applies your modifications.

Toolbar options

Item Description

Home Click to return to the main page.

Help Click to open the latest version of this guide.

Back Click to return to the Conversion Result page. FortiConverter preserves any
changes but doesn't save them in an output file. (Use Go to Report to save
changes to an output file.)

Backup Click to save the current configuration, including any modifications, to a text
file (a tuning "snapshot").

Restore Click to import a configuration you exported earlier (a tuning "snapshot").

FortiConverter discards any changes in the current configuration.

Export Policies Click to export policies as a comma-separated values (CSV) format file. This
can be helpful if you want to work in a spreadsheet application, share the
conversion with a team of reviewers, or import bulk changes.

Import Policies Click to import policies from a comma-separated values (CSV) format file.
FortiConverter replaces the current policies with the ones in the CSV file and

FortiConverter Admin Guide Fortinet Technologies Inc.

Tuning the output 120

rebuilds the relationship between the policies and objects.

VDOM Select the VDOM in the output to display in the Tuning page.

Go to Report Click to view the configuration output in HTML format.

The report included converted and non-converted objects and a summary of
the conversion.

Go to Output Click to view the files for the current configuration, including any
modifications.

Policy Tuning tab

The Policy Tuning tab allows you to review output policies and converted objects.
To review output policies, in the Policy navigation pane, select a package. The converted policies in the
package are displayed.

To add a new policy to a package

1. Right-click a policy, and then click New.

2. Complete the settings, and then click OK.

To renumber the policies

1. Right-click the policy where you want the numbering to restart, and then click ConfigPolicyIndex.
2. For Set Policy Index Start With, enter the initial policy number to use, and then click OK.

To edit the details for a converted policy

Double-click the policy and edit the settings as required.

FortiConverter Admin Guide Fortinet Technologies Inc.

Tuning the output 121

Item Description

Name You can't edit this value.

From Select source interface(s).

To Select destination interface(s).

Source Select source address object(s).

Destination Select destination address object(s).

Service Select service object(s).

Schedule Select schedule object.– select to enable NAT, and then select
to use Interface or IPPool Comments – modify the comments
for the policy Label – modify the label of the policy

FortiConverter Admin Guide Fortinet Technologies Inc.

Tuning the output 122

Action Specify whether traffic is accepted or denied.

Log Allowed Traffic Specify whether logging is enabled.

Status Specify whether the policy is enabled.

Enable NAT Select to enable NAT, and then do one of the following:
l Select User Interface.
l Select Use IPPool and specify a pool.

Comments Edit the comments for the policy.

Label Edit the label for the policy.

To review and edit firewall objects and interfaces

1. Go to the navigation pane at the bottom-left of the Policy Tuning tab.

Click the icons at the bottom of the pane to switch between firewall objects and interfaces.

2. To view objects, select a category in the navigation pane.

3. To add a new object, scroll to the bottom of the list, click in an empty row, and then complete the fields as
required.

FortiConverter Admin Guide Fortinet Technologies Inc.

Tuning the output 123

4. The PolicyRef column displays the number of policies that reference that firewall object.
Click the PolicyRef. column for the entry to display the specific policies in the Policy table above.
You can't delete objects that are referenced by any other part of the configuration.

To filter rows to display only matching data

You can filter every column that has the [filter mark] by a given option or custom expression.

To delete a line of the configuration

Click the policy or object you want to delete to select it, and then press the Delete key on your keyboard.
You can't delete items that are used by another policy or group.

To reorder rows

To reorder rows, click the policy number and drag the row to the new position.

Conversion log tab

The Conversion Log tab displays warnings that FortiConverter generated during the conversion process.

FortiConverter Admin Guide Fortinet Technologies Inc.

Tuning the output 124

New application tuning

Although FortiConverter automatically converts as much of the source configuration as possible, in some
cases, your input is required to complete the conversion. The Tuning page automatically opens when the
conversion is complete. (Currently this feature is available only in the conversion of 3rd party
vendors.)
From the Tuning page, you can:
l Manage your firewall objects
l Copy an object to another VDOM
l Copy an object’s CLI configurations
l Output an unreferenced object
l Shorten or change object names.

Manage your objects

The Tuning page has several features enabling you to view, add, edit, and delete your various firewall objects.

To review the converted objects

1. In the upper-left corner, click FortiGate Configuration.

A list of object categories loads in the menu bar, and a table of interface is displayed.
2. Select the object category you want to review.
A table containing information about that object category loads.

FortiConverter Admin Guide Fortinet Technologies Inc.

Tuning the output 125

In the address, address group, service, and service group tables, some object rows are highlighted in
yellow. Highlighted rows indicate objects that were automatically created by the FortiConverter tool during
the conversion process. You cannot find the definition for these kinds of objects from the original inputted
configuration files.

To edit an existing object in your configuration

1. In the table, double-click the object row you want to edit.

A window containing configurable fields loads.
2. Update the fields as needed.
3. Click OK to save your changes.

To add an object

At the bottom of every object category table is a button that enables you to add a new object. The button's
name is dependent on which object category you want to add to. The directions below outline the steps to add
a new address.
1. At the bottom of the object table, click New Address.
A window loads, enabling you input information about the object you want to add.
2. Complete the fields as needed.
3. Click OK to save your changes.

To delete an object

1. From the table, select the object you want to delete.

2. Right-click to view the context menu.

FortiConverter Admin Guide Fortinet Technologies Inc.

Tuning the output 126

3. Click Delete Selected from the context menu.

A confirmation window loads, asking you to confirm your deletion. If the object you want to delete is
referenced by other objects, the information will be displayed there.
4. Click OK to confirm your deletion.

Copy an object to another VDOM

To copy objects to another VDOM

1. In the VDOM information section, toggle the Enable VDOM wrapper switch.

Note: In order to enable the VDOM wrapper, the output requires at least two VDOMs. If the original
configuration only has one VDOM, you can manually add a new VDOM.
2. From the table of objects, select the object(s) you want to copy to another VDOM.
3. Right-click to view the context menu.

4. Expand the Copy to VDOM sub-menu.

FortiConverter Admin Guide Fortinet Technologies Inc.

Tuning the output 127

Your accessible VDOMs are listed in the sub-menu.

5. Select the VDOM you want to copy to.
Your selected object(s) will be included in the selected VDOM output.

Copy an object's CLI configuration

To copy the CLI configuration of an object

1. From the list of objects, select the object that you want to copy the CLI from.
2. Right-click to view the context menu.

3. Click Copy CLI.

4. From the prompted window, click Save to save the configuration as a text file, or click Copy to copy the
configuration to the clipboard.

Output an unreferenced object

You can output unreferenced objects from the address, address group, service, and service group categories.
To do so, you must move unreferenced objects from the unreferenced table to the converted objects table.
If you enable the “Discard unreferenced objects” option in the start page, FortiConverter scans each object and
checks whether it is referenced by policies, central NAT rules or other objects.

To output an unreferenced object

1. Select the object category you want to include in your output.

Note: You can only output unreferenced objects from the address, address group, service, and service
group categories.
2. In the Table Type field, select "unreferenced".

FortiConverter Admin Guide Fortinet Technologies Inc.

Tuning the output 128

l converted - Objects are referenced and can be generated to the outputs.

l unreferenced - Objects are not referenced and generally cannot be generated to the outputs.
l unconverted - Objects cannot be converted by FortiConverter tool. They are not supported by
FortiOS, or by FortiConverter.
3. Select the object(s) you want to output.
You can select the entire table by right-clicking and selecting Select All from the context menu.
4. Right-click to view the context menu.

5. Select Move to Converted.

FortiConverter moves the selected objects to the converted category.
6. In the upper-right of the page, click Download Configuration.
The configuration of the objects are included in the output.

Rename an object

FortiOS sets different maximum characters length for object names. Object names that exceed the character
limit are known as overlengthed, and must be renamed before they can be uploaded to a FortiGate device. The
tuning summary table displays overlengthed objects numbers in red.

FortiConverter Admin Guide Fortinet Technologies Inc.

Tuning the output 129

There are two ways see which objects are marked as overlengthed. You can:
1. Click the red number from Overlengthed column, or
2. Go to the table of the object, and click the button Name Overlength.
Overlengthed object names are identified with a red background color.
Once you located the overlengthed objects, there are two ways to rename the object: (1) manually, and (2)
automatically.

To manually rename an object

1. Double-click the object row.

2. In the prompt window, shorten the object name.
3. Click OK.

To automatically rename an object

1. Select the object row.

2. Right-click to view the context menu.
3. Click Trim Object Name.
FortiConverter automatically deletes the last few characters from the tail-end of the object name so it falls
under the character limit.

FortiConverter Admin Guide Fortinet Technologies Inc.

REST API Import 130

REST API Import

FortiConverter can use REST API provided by FortiOS to import the converted objects into your FortiGate.
Currently this feature is available only in the conversion of 3rd party vendors.

Add device information

Before importing the objects into a device, the connection information of the device should be saved in
FortiConverter at first:
1. Go to the FortiConverter dashboard and click the tab Device in the left side.

2. Click button New Device at the top-right corner.

3. Input the network address and login information.

FortiConverter Admin Guide Fortinet Technologies Inc.

REST API Import 131

4. Click Test Connection to see if the device can be connected and logged in successfully. Click OK to save
the device information.

Start Installation

1. In the tuning page of the conversion, click Install Config at the top-right corner. This button would exist
only when there is at least one connectable device saved in FortiConverter.
2. Select the device to be imported and click Connect.
3. Click One-Click Install to start importing.

4. View the installation logs and wait for the importing to be completed.
5. To interrupt the installation, click Stop Importing to stop the installation.

FortiConverter Admin Guide Fortinet Technologies Inc.

REST API Import 132

6. Download Logs can be clicked to download the log file of importing. The CLI of failed objects would be
printed in the file, and user can copy and paste the CLI into the terminal of the device to see what error
occurs.

View Import Result

When the REST API import is finished, the statistic of imported objects would be shown in the table of
conversion summary page.

By clicking the number in the Import Failed column, the failed objects would be listed in a table. In the table of
each kind of object, the import result would be shown in the right column.

FortiConverter Admin Guide Fortinet Technologies Inc.

REST API Import 133

Import Individual objects

Users can also import objects individually in the object pages.

1. Select objects to be imported into the FortiGate.
2. Right click and select REST API Import.
It should be reminded that the prerequisite objects should be imported at first.
For example, before importing an address group, all the address objects inside the address group should be
imported.

FortiConverter Admin Guide Fortinet Technologies Inc.

Viewing the results of your automatic conversion 134

Viewing the results of your automatic conversion

Legacy application

The Conversion Result page displays general conversion information, statistics on of the number of converted
objects and policies, and a log of items that need further attention.
To see a summary of the conversion, click Go to Report.
An HTML page generated by FortiConverter is displayed in your web browser.

To examine the converted objects and policies in detail, click Go to Tuning.

FortiConverter Admin Guide Fortinet Technologies Inc.

Viewing the results of your automatic conversion 135

After your review and any tuning tasks are complete, click Go to Output to access the final, converted
configuration files.

New application

The Conversion Summary page displays a summary of the conversion, including VDOM mapping and Interface
mapping, as well as a device summary.
l To fine-tune the conversion, click FortiGate Configuration from the menu on the left, then select an
option.
l To download the final, converted configuration files, click Download Configurations, located on the
right.
l To download any configurations, from the home page, click Download.

FortiConverter Admin Guide Fortinet Technologies Inc.

Error messages 136

Error messages

If an error occurs, FortiConverter inserts error messages and warnings into the conversion output file config-
all.txt.
These warnings aren't inserted in any configuration branch files.

Review the config-all.txt file after each conversion for

errors. These errors and warning messages might cause the import
process to fail, if not corrected.

Undefined objects

# Error: Undefined interface/address/service/ippool object <NAME>;

This error occurs when an object used in the policy isn't previously defined. Make sure the object name is
correct.

Interface
# Warning: Please input vlan interface

This warning means the physical interface of a vlan interface isn't specified.

Zone

# Warning: Interface exists in other Zone.

This warning means an interface belongs to two zones simultaneously. An interface should not belong to more
than one zone at a time.

Service

# Error: The number of service custom is <NUMBER>, exceed <NUMBER>

limitation.
The number of services exceeds the maximum number supported by the selected FortiGate model.

FortiConverter Admin Guide Fortinet Technologies Inc.

Error messages 137

Service group

# Error: Unconverted members in service group <NAME>

This error occurs when objects in the mentioned service group aren't converted and the service group becomes
empty.

User

# Warning: can't support radius server group

This warning means the source configuration contains a radius server group. FortiGate doesn't support radius
server groups. This warning only appears in Check Point conversions.
# Warning: can't find out radius server
This warning means the radius server of the user isn't defined in the source configuration. This warning only
appears in Check Point conversions.
# Warning: Please reset the shared secret key.
This warning means the password in the source configuration is encrypted. Reset the shared secret key.

VIP

# Warning: Public IP confliction for below objects.

This warning appears when different VIP objects have the same public IP. Different VIP objects should not
have the same public IP in FortiOS. To fix this issue, add port forwarding or source filter information to the
conflicted VIP object.

VPN phase1

# Warning: <NAME> exceed 35 characters"

This warning means the Phase1 name exceeds 35 characters. Manually fix the name.
# Warning: remote-gw should be IP address, object <NAME> was not defined
This error occurs when the source configuration provides an address name for the remote-gw field. The remote-
gw field should be an IP address.
# Warning: Please reset the pre-shared key.
All pre-shared keys are set to "123456" in the converted VPN object, if the password in source config is
encrypted. Users should reset the pre-shared keys.

FortiConverter Admin Guide Fortinet Technologies Inc.

Error messages 138

VPN phase2

# Warning: <NAME> exceed 35 characters

This warning appears when a Phase2 name exceed 35 characters. To fix this issue, fix the name manually.

Policy
# set utm-status enable
# set application-list NAME1 NAME2
# Application-list support only one item, please recheck config file.

This error means there are multiple items in the application list. There should be only one item in the
application list. If there are multiple items given in the source configuration, reset the items.
# Warning: Removed self traffic object <NAME> from address list
# Warning: Comment out self traffic policy - object name <NAME>

Check Point policies may contain "self traffic" policies, but those policies aren't needed in FortiOS.
# Warning: Comment out default drop all policy
There may be a "drop all" policy in the end of the policy list for some vendors. But FortiOS has its own "drop all"
policy by default, so the one in source configuration should be commented out.
Route static
# Warning: Please input field <device>
FortiOS requires the "device" (interface) route field.

Snmp sysinfo
# Warning: Community <NAME> has <NUMBER> hosts, beyond the limitation <NUMBER>.

The number of hosts in a community exceeds the maximum number supported by the FortiGate selected
model.

Other warnings

Name length

# Warning: truncate <OBJECT> name <NAME> to <NUMBER> characters

# Warning: Trim <NAME> to <NUMBER> characters
When FortiConverter detects an object name that is longer than the limit given in FortiOS, FortiConverter
renames the object.

FortiConverter Admin Guide Fortinet Technologies Inc.

Error messages 139

Route BGP

# Warning: Please reset the password.

This warning appears when the password of route BGP neighbors in the source configuration is encrypted.
Reset the password of the route BGP neighbors.

Route OSPF

# Warning: Please reset the md5 key.

This warning appears when the md5 key of the OSPF interface in the source configuration is encrypted.
Reset the md5 key.

FortiConverter Admin Guide Fortinet Technologies Inc.

Importing your new configuration into FortiGate 140

Importing your new configuration into FortiGate

Conversion to FortiGate output

When you convert a source configuration to a FortiGate configuration, the resulting conversion file is placed
into the output directory FGT/ folder in HTML and the CLI configuration in the text file config-cmd.txt.
The config-cmd.txt file header contains basic import instructions. The converted objects and polices are
located after the header and can consist of several thousand lines of configuration.

Preparing the output configuration file for import

Before you import the output configuration, search the file for any comments that indicate issues that
FortiConverter detected during the conversion (such as missing objects or conflicting object values) and fix
them. To locate these comments, search for lines that start with # (number/hash symbol). You can't
successfully import the configuration if you don't fix these issues. Fortinet recommends that you divide the
configuration into sections, and then import one section at a time. If a section is large, divide it into smaller
sections.

Importing the configuration file sections

To import the sections of the output configuration file, Fortinet recommends that you use the Upload Bulk
CLI Command File option at one of the following locations:
l System > Config > Advanced (FortiOS 5.2)
l System > Advanced (FortiOS 5.6 and 6.0)
Because you can't successfully import a section of configuration that references an object that doesn't already
exist in the configuration, ensure that you import the configuration sections in their original order. For example,
you typically import polices last because they reference interfaces, addresses, users, services, IPsec phase1s,
security policies, and so on. If these objects are missing, FortiGate doesn't accept the policy.

CLI debugging
To make troubleshooting easier when there are import errors, before you import sections, enable CLI
debugging.
By default, CLI debugging is level 3. This is the level to use under normal conditions.
You can use this command to view the current debug level:
# diagnose debug info

A response similar to the following appears:

debug output: disable
console timestamp: disable
console no user log message: disable
CLI debug level: 3

For the configuration importing process, the appropriate debug level is 8. Use this command to change the
debug level:

FortiConverter Admin Guide Fortinet Technologies Inc.

Importing your new configuration into FortiGate 141

diag debug enable

diag debug CLI 8

When the import process is complete, use this command to return the debug level to the default (3):
diag debug reset

Importing process
Import the sections of the conversion output systematically. For each section you import, check for import
failures in the web UI Script Execution History. Use CLI debugging to diagnose and fix any errors. When the
import is successful, continue with to next section of the configuration.

Example import error and troubleshooting

The following simple configuration generates an error because Test3 isn't defined:
config firewall address
edit "Test1"
set subnet 1.1.1.1 255.255.255.255
next
edit "Test2"
set subnet 1.1.1.2 255.255.255.255
next
end
config firewall addrgrp
edit "Test-Addresses"
set member "Test1" "Test2" "Test3"
next
end

When you save this configuration as a file and import it, the Failure status indicator shows:

The following CLI output captures detailed information about the error:
0: config firewall address
0: edit "Test1"
0: set subnet 1.1.1.1 255.255.255.255
0: next
0: edit "Test2"
0: set subnet 1.1.1.2 255.255.255.255
0: next
0: end
0: config firewall addrgrp
0: edit "Test-Addresses"
-3: set member "Test1" "Test2" "Test3"
1: next
0: endwrite config file success, prepare to save in flash

FortiConverter Admin Guide Fortinet Technologies Inc.

Importing your new configuration into FortiGate 142

The error code -3 indicates that FortiGate did not find the object and the return code 1 indicates that an error
occurred.
Notice that FortiGate creates the address objects Test1 and Test2. The failure status only relates to the
address group.
When you fix the script by adding the missing Test3 object and import it again, the Success status indicator
shows.

When the configuration is fixed, all return codes in the CLI debugging are 0, indicating no errors.
0: config firewall address
0: edit "Test1"
0: set subnet 1.1.1.1 255.255.255.255
0: next
0: edit "Test2"
0: set subnet 1.1.1.2 255.255.255.255
0: next
0: edit "Test3"
0: set subnet 1.1.1.3 255.255.255.255
0: next
0: end
0: config firewall addrgrp
0: edit "Test-Addresses"
0: set member "Test1" "Test2" "Test3"
0: next
0: endwrite config file success, prepare to save in flash

FortiConverter Admin Guide Fortinet Technologies Inc.

Importing your new configuration into FortiManager 143

Importing your new configuration into FortiManager

The example in the procedures uses FortiManager 5.2 and global policies and objects. The procedures are
similar for environments that don't use the global feature.

To configure FortiManager
On FortiManager, enable the ADOM feature and create an ADOM for each source domain that you want to
migrate.Ensure that all the ADOMs (including the global ADOM) use the same version of FortiOS.

The output folder

The output folder provides both a global folder and a folder for each source domain. Both folders contain the
subfolder FMGR\.
Object configuration is located in the FMGR\FWObject\ folder, which contains the following files:
l Several text and HTML files that are used for reporting. They aren't used to import the configuration.
l The text file config-all , which contains all the CLI commands for the object configuration.
l Text files that duplicate sections of the config-all file: address, address groups, services,
scheduled, and so on. When there are many objects (for example, most environments have many
firewall address objects), these sections are divided into multiple, indexed files. To make the import
process simpler, Fortinet recommends that you import configurations using the files for individual sections.
Policy scripts are located in policy package folders in \FMGR\Policy as one or more firewall policy files
(config-firewall-policy-1, config-firewall-policy-2, and so on).These files are the same
content as the conversion output file config-all in smaller, indexed files that are easier to import.

Running scripts
With the exception of config-system-session-helper, you run all scripts using the Policy Package,
ADOM Database script target.
You run the config-system-session-helper script on the device database to set device-level settings.
If the global folder contains a config-system-session-helper script, review its contents. In most
cases, it isn't required because the global policies and objects configuration doesn't contain devices. You can
add any configuration in this script to session helper scripts for each domain that uses the global objects.
However, in most cases, the domain-level script also contains these settings.

To import policies and objects

You import your global object and policies first because the ADOM configuration can depend on them. Import
objects before policies because polices depend on objects.
1. In the FortiManager system settings, to enable scripts, go to System Settings > Admin > Admin
Settings. Under Display Options on GUI, select Show Script.

FortiConverter Admin Guide Fortinet Technologies Inc.

Importing your new configuration into FortiManager 144

2. To display the scripts in the Global Objects menu, on the Policy & Objects tab, go to Tools > Display
Options > All On.
3. Go to Global Objects > Advanced > Script.

The list of global scripts is displayed.

4. Click Import, enter a name for the script you are importing, and then click Browse to navigate to and
select a script from the Global\FMGR\FWObject folder.
For more information on the output folders and files, see The output folder on page 143.
5. For the script target, select Policy Package, ADOM Database, and then select OK.
6. When the import is complete, review any error messages that FortiConverter inserted as comments and
make any required corrections. For more information, see To troubleshoot script import and execution
errors on page 147.
7. To run the script, right-click it, and then select Run. Because global objects are applied to all ADOMs by
default, for Run script on policy package, you can use the default policy package.If the script execution
fails, troubleshoot the process and make any required changes. For more information, see To troubleshoot
script import and execution errors on page 147.
8. Repeat the script import and run process for all the scripts in the Global\FMGR\FWObject folder.

9. When you have imported all the objects, use the same procedures to import and run the policy scripts
using the firewall policy configuration files located in the Global\FMGR\Policy folder, which contains a
folder for each policy package. don't import the config-all file.

FortiConverter Admin Guide Fortinet Technologies Inc.

Importing your new configuration into FortiManager 145

After the scripts have run successfully, review the policies.

10. When the policy package is correct, assign it to your ADOM. By default, FortiManager assigns the selected
policy package to all policy packages in the ADOM.

11. To complete the ADOM assignment, on the Assignment tab, click Assign.

12. When the process of assigning the polices and objects is complete, on the Policies & Objects tab, select
the ADOM to review the policies.

FortiConverter Admin Guide Fortinet Technologies Inc.

Importing your new configuration into FortiManager 146

13. To import the domain-level polices and objects into your ADOM, on the Device Manager tab, select the
ADOM, and then go to Scripts > Script.
14. Repeat the procedure for importing the object and policy scripts with the contents of the <domain_
name>\FMGR\FWObject and <domain_name>\FMGR\Policy folders. Import the objects first, but
don't import the config-system-session-helpers script. For the script target, select Policy
Package, ADOM Database.
Ensure you check for error messages that FortiConverter inserted as comments and make any required
corrections. For more information, see To troubleshoot script import and execution errors on page 147.
15. Run each imported object script. For Run script on, select Policy Package, ADOM Database. Correct
any errors that prevent the script from executing. For more information, see To troubleshoot script import
and execution errors on page 147.
If there are many address objects, you import several scripts because the address file is indexed to keep
the files at a manageable size.
16. Before you run the policy scripts, create new policy packages that correspond to each policy package folder
in <domain_name>\FMGR\Policy. On the Policy & Objects tab, right-click on the default policy
package and choose Policy Package Create New.
Clear the Clone Policy Package option.

Because global polices and objects were assigned to all policy packages in this ADOM, they are
automatically part of each new policy package. The next import task adds the domain-level policies.
17. On the Device Manager tab, run each imported policy script. For Run script on, select Policy Package,
ADOM Database. When you are prompted for a policy package, select the name of the appropriate
package, which you created earlier.

FortiConverter Admin Guide Fortinet Technologies Inc.

Importing your new configuration into FortiManager 147

Correct any errors that prevent the script from executing. For more information, see To troubleshoot script
import and execution errors on page 147.
To troubleshoot script import and execution errors
FortiConverter inserts any error messages in output scripts as comments.
In some cases, the script can't run unless you edit it to correct the errors. Double-click the name of the script in
the list of scripts to edit it.

In the following example, the address objects that generate the errors are assigned using the global objects
and can be ignored.

If an error occurs during script execution, go to System Settings > Task Monitor to view the error message
and identify the error. Look for "Failed to commit to DB" in the task information.

FortiConverter Admin Guide Fortinet Technologies Inc.

Importing your new configuration into FortiManager 148

Unlike a FortiGate import, which creates an object up to the point of failure, FortiManager creates no objects or
policies if the script execution fails.
If you identify the cause, correct it in your script.
For example, the following error was generated by a firewall policy that contained both IPv4 and IPv6 objects,
which FortiOS doesn't support and FortiConverter did not correct.

Another example of a script execution error generates the following message:

To resolve the error, determine which object precedes the error, locate it in the script, and correct any
configuration errors. In this example, the configuration doesn't specify the subnet. If an object you don't want to
use generates the error, you can delete it from the script or use # (hash) at the start of the appropriate lines to
convert them to comments. Then, try to run the script again. Repeat the troubleshooting process until the script
execution is successful.

FortiConverter Admin Guide Fortinet Technologies Inc.

Importing your new configuration into FortiManager 149

If there is no obvious error in the output, try dividing the script into two smaller scripts. If only one script runs
successfully, you have narrowed the focus of your troubleshooting to the content of the failed script. To divide a
script, right-click it and select Clone. Using the policy numbers to determine and keep track of which policies
you delete, edit the files so that they each contain a different section of the script. Then, run both scripts.
Dividing scripts into two or more smaller scripts is also useful if you suspect the length of a script is causing the
execution to fail. Scripts that are too long fail without generating an error message.
In some cases, if a script fails, Fortinet recommends that you create a new script instead of editing or deleting
it, because sometimes files can remain after you delete it. If you preserve the failed script, you can review it
and the error it generates later. In the following example, the following config user server objects took
several attempts to run successfully.

Working with object output in indexed files

In some cases, output files are split into smaller, indexed files to make it easier to import them.

If a configuration contains nested groups, script execution can fail because groups defined in one file are
dependent on groups defined in another file.
If a script fails because of a missing dependency, remove the object that causes the failure. When you have
finished importing the scripts for the object type, delete the script you edited and import it again. Then, run the
script without editing it. Because the dependency is now included in the imported configuration, the unedited
script can execute successfully.

FortiConverter Admin Guide Fortinet Technologies Inc.

Importing your new configuration into FortiManager 150

FortiConverter Admin Guide Fortinet Technologies Inc.

Troubleshooting 151

Troubleshooting

For any questions not covered in this content, contact FortiConverter customer support at fconvert_
[email protected].

Licensing Issues

FortiConverter is a single-user application. Using more than one user account may invalidate the Hardware ID.
If multiple users require the application, Fortinet recommends that you install it using a single, shared account,
on a remotely accessible host.
l A hardware layer change generates a new hardware identifier. For a physical host, this could occur when
installing the application on a new laptop, or installing a memory extension or a new network card. For a
virtual host, such as VMware, the hardware identified may change because of an update in the
virtualization software, or because of a change to the virtual hardware configuration for that virtual host.
l Windows updates might affect the hardware ID, particularly .Net framework updates.
l If your license does change, contact customer services, [email protected], include your serial number,
previous hardware identifier, and new hardware identifier. Customer services can update your FortiCare
records and you can then download the replacement license from the support portal.

Accessing conversion logs

In most cases, when FortiConverter has an internal problem, the application displays a message in the web UI
and adds an error message to a log file.
The logs capture all the conversion steps, including initialization, parsing (two logs), conversion, and reporting.
If the log indicates that FortiConverter encountered an internal error, or for help resolving other errors, contact
the FortiConverter team at [email protected].

Log location

The logs are stored at the following default location (ProgramData is a hidden folder):
C:\ProgramData\Fortinet\FortiConverter\logs\<date>
where <date> is the day the log was generated. For example, 2016-04-25.

FortiConverter Admin Guide Fortinet Technologies Inc.

Troubleshooting 152

Example logs

Logs are plain-text files. These examples have additional formatting to illustrate the different steps and
highlight errors.

Successful Juniper ScreenOS conversion

Info:
2016-04-25 16:58:10.2853
MainWizardPanel.btnStart_Click => MainWizardPanelPresenter.Initialize =>
ConverterManager.MakeANewConversionJob
Start a New Conversion: Juniper
Info:
2016-04-25 16:58:17.6680
BackgroundWorker.OnDoWork => VdomWizardPresenter._vsysPhaseCallWorker_DoWork =>
VdomConvertJob.DoConvertForGetVDOM
Parse VDOM: C:\Users\user\Desktop\Test Case Base\ScreenOS\test_sos.txt
Info:
2016-04-25 16:58:18.8052
BackgroundWorker.OnDoWork => JuniperWizardPresenter._firstPhaseCallWorker_DoWork =>
ConvertJob.DoConvertForFirstPhase
Parse: C:\Users\user\Desktop\Test Case Base\ScreenOS\test_sos.txt
Info:
2016-04-25 16:58:22.7495
BackgroundWorker.OnDoWork => VdomWizardPresenter._secondPhaseCallWorker_DoWork =>
ConvertJob.DoConvertForSecondPhase
Convert
Info:
2016-04-25 16:58:23.6636
ConvertJob.DoConvertForSecondPhase => ConvertJob.DoConvertForThirdPhase =>
ConvertJob.DoConvertReportPartial
Report: FGT

Failed Cisco conversion

The error message at the end of this example log indicates that FortiConverter encountered an internal error.

FortiConverter Admin Guide Fortinet Technologies Inc.

Troubleshooting 153

Info:
2016-03-29 18:59:33.8553
MainWizardPanel.btnStart_Click => MainWizardPanelPresenter.Initialize =>
ConverterManager.MakeANewConversionJob
Start a New Conversion: Cisco
Info:
2016-03-29 18:59:41.3151
BackgroundWorker.OnDoWork => VdomWizardPresenter._vsysPhaseCallWorker_DoWork =>
CiscoConvertJob.DoConvertForGetVDOM
Parse VDOM: C:\Users\user\Desktop\test_cisco.txt
Info:
2016-03-29 18:59:48.5378
BackgroundWorker.OnDoWork => CiscoWizardPresenter._firstPhaseCallWorker_DoWork =>
CiscoConvertJob.DoConvertForFirstPhase
Parse: C:\Users\user\Desktop\test_cisco.txt
Info:
2016-03-29 19:00:00.0919
BackgroundWorker.OnDoWork => MainWizardPanelPresenter._secondPhaseCallWorker_DoWork =>
ConvertJob.DoConvertForSecondPhase
Convert root
Error:
2016-03-29 19:00:38.1278
InterfaceALL.UpdatePolicyReference => InterfaceCollection.UpdatePolicyReference =>
PolicyOrg.HasReferencedInterface
Reference interface failed: Object reference not set to an instance of an object.

Troubleshooting application crashes

In many cases, disabling NAT merge options can resolve an application crash that occurs during a conversion.
For example, for a Cisco PIX conversion, on the wizard Start Option page, click More, and then for each type of
NAT, select Off.
See the FortiConverter logs for detailed information about the cause of a crash. See Accessing conversion logs
on page 151.

FortiConverter Admin Guide Fortinet Technologies Inc.

Troubleshooting 154

Reviewing errors in a restorable FortiGate configuration

In the wizard, when you select Create a restorable config, FortiConverter creates a config file by appending
the converted source configuration to the target default configuration.
The output also includes any unconverted configuration items and errors, which you can review using the
config-error-log CLI command.

In many cases, one failed object causes many lines of output because the configuration uses it in multiple
places.
The error log provides a line number that helps you to locate a command associated with the problem. To help
you understand the problem, try entering the command in the CLI.
In the example, because of significant configuration changes since FortiOS 4.2, FortiConverter doesn't migrate
Data Leak Prevention (DLP) settings from 4.3 to 5.2 and instead records the errors.
Common errors include the following codes:
l -651 - Input value error. The CLI command is incorrect.
l -3 - Entry not found (see the illustration). The value given, such as a profile name, isn't configured..

FortiConverter Admin Guide Fortinet Technologies Inc.

Appendix 155

Appendix

Adjusting table sizes

The conversion wizard Start options page allows you to specify whether FortiConverter allows larger table sizes
and group membership than default in the output configuration.
This is useful when, for example, the source configuration has a large address group and the target
configuration can accommodate the larger group. Otherwise, FortiConverter converts the large address group
into two or more smaller address groups for a single policy.
For example, FortiConverter uses the following default maximum table sizes by default:
l Address groups – 2500
l Addresses per group – 300
l Custom service objects – 1024
When this option is selected, FortiConverter uses the following maximum table sizes:
l Address groups – 20000
l Addresses per group – 1500
l Custom service objects – 4096
The following image shows the output has created address groups with a limit of 300 members, but the source
config has instances with over 500 members. In this case, you can increase the address group membership
limit if the target device supports the higher value.

FortiConverter Admin Guide Fortinet Technologies Inc.

Appendix 156

Table size settings file

When you select Adjust table sizes, FortiConverter uses the maximum table sizes in the file
TargetPlatformTablesizeSetting.txt, which is stored in the same folder as the FortiConverter executable file
(for example, using the default installation path, C:\Program Files
(x86)\Fortinet\FortiConverter\TargetPlatformTablesizeSetting.txt).
By default, the file contains the following values, which are suitable for high-end devices (for example,
FortiGate 1200D or higher):
Address groups: 20000
Addresses per group: 1500
Custom service objects: 4096

You can manually adjust these values by editing the file.

Viewing maximum table sizes for your target device

On your target system, enter the following command:

print tablesize
The maximum table sizes are displayed in a response similar to the following output:
firewall addrgrp: 0 20000 20000
firewall addrgrp: member: 1500 0 0
firewall service custom: 0 4096 0

NAT merge options

For Check Point and Cisco PIX conversions, you can select which types of NAT configuration FortiConverter
uses to generate output firewall policies, or whether FortiConverter derives its NAT-based policies based on
object names or object values.
Because it can take FortiConverter several hours to complete a conversion that includes a large number of NAT
rules, Fortinet recommends that you turn off NAT merge for all types of NAT for your initial conversion. Then,
after you resolve any issues with the conversion, run it again at a convenient time with NAT merge enabled.

FortiConverter Admin Guide Fortinet Technologies Inc.

Appendix 157

NAT merge depth

The FortiConverter NAT merge feature compares the firewall policy source and destination address with
addresses in NAT rules. When these addresses overlap, FortiConverter uses the NAT rules to generate
additional policies in the output configuration.
If a policy has an address with a large range, it can overlap with many NAT rules, which generates many NAT
policies. Because output that includes a large number of NAT policies can be hard to review, FortiConverter
provides NAT merge depth options that can reduce the number of NAT policies.
The merge depth policies control both the type of NAT to merge and the scope of the merge:
l When you select Off for a type of NAT, FortiConverter doesn't perform NAT merge using NAT rules of that
type. If it’s turned off for all types, the output conversion contains the converted source configuration
policies only.
l When you select Object Names, FortiConverter generates policies based on NAT rules only where the
address name the rules use is found in a policy. For Cisco PIX, this option can also match NAT rules and
policies if they contain addresses that match exactly. For example, a source configuration NAT rule
dynamically translates the object "address1"(IP 10.10.10.10) to "200.200.200.200". The source
configuration also has three polices:
l policy1: source address is "address1"
l policy2: source address is "10.10.10.0-10.10.10.255"
l policy3: source address is "all"
Only policy1 matches the NAT rule, because it shares the address object name, and policy2 and policy3
don't match
because they don't reference the name "address1".
Cisco PIX allows you to use an IP address to configure a NAT rule instead of a name. For example, the
NAT rule 10.10.10.10 to 200.200.200.200. When Object Names is selected, this NAT rule matches a
policy with source address 10.10.10.10, even though it doesn't refer to a object name because they have
the exactly the same IP range. This is a useful option if you make use of supernet addresses that would
match many address objects.
l When you select Object Values, FortiConverter generates policies based on NAT rules that have address
values that fall anywhere in the range specified by a policy (overlap).
For the example above, when Object Values is selected, the NAT rule that translates the object
"address1"(IP 10.10.10.10) to "200.200.200.200" matches both policy2 and policy3.
Object Values generates the most accurate matching of NAT rules and policies, but in most cases, it also
generates more NAT policies.

New application features

Folders

The new FortiConverter application allows you to create separate folders for your conversions.

FortiConverter Admin Guide Fortinet Technologies Inc.

Appendix 158

To add a folder

1. Click the New Folder option from the menu on the left.
2. Enter a name for your new folder and press OK.
Your new folder appears in the left menu.

To move conversions to a folder

1. Select a conversion.
2. Click the Change Folder button, located at the bottom.
3. Select a folder for your conversion and press OK.

FortiConverter Admin Guide Fortinet Technologies Inc.

Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.