FortiGate Firewall Configuration Migration – Technical Runbook
From Notes_Wiki
This Article provides a detailed, step-by-step technical procedure for migrating firewall configurations between Fortinet FortiGate firewalls and between Other OEM to FortiGate firewalls.
Home > Enterprise security devices or applications > Fortigate firewall > FortiGate Firewall Migration - Technical Runbook
Pre-Migration Checklist (Mandatory)
Access & Readiness
- Confirm admin access to source and destination firewalls
- Ensure physical/console access to destination FortiGate
- Confirm approved maintenance window
Backup & Documentation
- Take full configuration backup of the source firewall
- Take initial backup of the destination FortiGate
Document the following from the source firewall:
- Interfaces and zones
- Routing (static/dynamic)
- Firewall policies
- NAT rules
- VPNs (IPSec / SSL)
- Security profiles (AV, IPS, Web Filter, App Control)
- Address and service objects
Compatibility & Licensing
- Verify destination FortiGate hardware model
- Verify FortiOS version compatibility
- Confirm required licenses are active:
- FortiCare
- AV / IPS / Web Filter / App Control
Rollback Plan
- Keep source firewall powered on and reachable
- Define rollback steps before starting migration
FortiGate → FortiGate Migration
Manual Migration Using Configuration Files
When to Use
- Hardware model change
- FortiOS major version change
- Partial configuration migration
Procedure
Step 1: Export Source Configuration
- Login to source FortiGate
- Navigate to: System → Settings → Backup
- Download full configuration file
Step 2: Review Source Configuration
- Open configuration file in a text editor
- Identify:
- Interface names
- Hardware-specific settings
- Deprecated commands
Step 3: Clean Configuration
Remove:
- Hardware-specific interfaces
- HA/VDOM settings (if not required)
- Unsupported or deprecated commands
Step 4: Prepare Destination FortiGate
Complete initial setup and configure:
- Interfaces
- Management access
- Basic routing
Step 5: Apply Configuration Sections
Manually configure:
- Address objects and groups
- Service objects
- Firewall policies
- NAT policies
- VPN configurations
- Security profiles
Step 6: Validation
- Verify policy count and order
- Validate NAT translations
- Test internal and external traffic
Migration Using FortiConverter Tool
Procedure
Step 1: Install FortiConverter Tool
- Download and install FortiConverter on a local system
Step 2: Upload Source Configuration
- Open FortiConverter
- Upload source FortiGate configuration file
Step 3: Select Destination Details
- Select target FortiGate model
- Select target FortiOS version
Step 4: Run Conversion
- Start conversion process
- Review conversion summary and warnings
Step 5: Review Converted Output
Validate:
- Firewall policies
- Address and service objects
- NAT rules
Step 6: Import to Destination FortiGate
- Upload converted configuration
- Commit configuration
Step 7: Testing
- Verify traffic flow
- Monitor logs for anomalies
Migration Using FortiConverter Service
When to Use
- Large or complex environments
- Multiple VDOM deployments
- Business-critical firewalls
- Cross-hardware model migrations
- When internal team does not want to perform manual conversion
Overview
FortiConverter Service is a Fortinet-delivered migration service where Fortinet engineers perform the configuration conversion. This is different from the FortiConverter Tool (self-managed software). The workflow, prerequisites, licensing, and execution process are different.
This method is commonly used for:
- FortiGate to FortiGate migrations across different hardware models
- OEM firewall to FortiGate migrations
- Enterprise production firewalls
Prerequisites
License Requirements
- Destination FortiGate must have active FortiCare support
- Required security licenses must be active (AV, IPS, Web Filter, App Control)
- FortiConverter Service entitlement (if applicable under contract)
Organization-Level Registration
- Destination FortiGate must be registered in the Fortinet Support Portal
- Device must be linked to the correct organization account
- Engineer raising the request must have support portal access and ticket creation permission
Configuration & Access Requirements
The following must be ready before raising request:
- Full source firewall configuration backup
- Source firewall firmware version
- Destination FortiGate model
- Target FortiOS version
- Network topology diagram (recommended)
- Planned interface mapping details
Step-by-Step Procedure
Step 1: Initiate FortiConverter Service Request
- Login to Fortinet Support Portal
- Navigate to: Support → Create New Ticket
- Select category: Configuration Migration / FortiConverter Service
- Provide:
- Source vendor and model
- Source firmware version
- Destination FortiGate model
- Target FortiOS version
- Upload source configuration file
- Mention maintenance window
Step 2: Provide Interface Mapping
Provide clear interface mapping in structured format:
| Source Interface | IP/Subnet | Destination Interface | Purpose |
|---|---|---|---|
| port1 | Public IP | wan1 | Internet |
| port2 | LAN subnet | internal | LAN |
Clear mapping ensures accurate conversion.
Step 3: Conversion by Fortinet Team
Fortinet engineers will:
- Analyze configuration
- Convert firewall policies
- Convert NAT rules
- Convert address/service objects
- Convert VPN configurations
- Adjust syntax for target FortiOS
- Provide converted configuration file and summary report
Step 4: Review Converted Configuration
After receiving converted configuration:
- Review policy count and order
- Validate object groups
- Verify NAT translations
- Check VPN configurations
- Review any manual action notes
- Identify unsupported features
Step 5: Import Configuration
- Take full backup of destination FortiGate
- Upload converted configuration
- Restore configuration
- Reboot device if required
Step 6: Post-Migration Validation
Validate the following:
- Interface IP addressing
- Routing table entries
- Firewall policy order and hit count
- NAT functionality
- VPN tunnel status
- Security profile attachment
- Log generation
Test:
- Internal to Internet traffic
- Inter-VLAN communication
- Published services
- Business-critical applications
Known Limitations & Dependencies
- Some OEM-specific features may not convert 1:1
- Custom scripts must be recreated manually
- SD-WAN may require manual optimization
- HA configuration typically requires manual setup after import
- Policy order must always be verified manually
- Interface naming differences must be validated
Best Practices
- Always perform migration during maintenance window
- Keep source firewall powered on until validation completes
- Test critical rules individually
- Maintain rollback readiness
- Take final backup after successful validation
Rollback Plan
If issues occur:
- Disconnect destination FortiGate
- Reconnect source firewall
- Restore original routing
- Investigate converted configuration offline
Do not decommission source firewall until full validation and stakeholder approval.
Other OEM Firewalls → FortiGate
Palo Alto Networks → FortiGate
Procedure
- Export full configuration in XML format
- Upload configuration to FortiConverter Tool
- Select target model and FortiOS version
- Run conversion
- Review conversion report
- Import to FortiGate
- Validate policies and NAT
Check Point → FortiGate
Procedure
- Export R80+ database
- Upload configuration into FortiConverter Tool
- Convert security policies and objects
- Review rule order
- Import into FortiGate
- Validate VPN and traffic flow
Post-Migration Validation Checklist
- Verify interface status and IP addressing
- Validate routing table
- Confirm NAT translations
- Test business-critical applications
- Verify VPN tunnel status
- Confirm security profile enforcement
- Monitor firewall logs and traffic
Handover & Documentation
- Upload final FortiGate configuration backup
- Update migration documentation
- Share validation results with stakeholders
- Obtain sign-off and close migration activity
Conclusion
Following this structured migration runbook ensures reduced risk, predictable outcomes, and operational continuity for FortiGate firewall migrations.
Home > Enterprise security devices or applications > Fortigate firewall > FortiGate Firewall – Technical Runbook
