FortiConverter - Release Notes Version 6.0.2 TABLE OF CONTENTS
Introduction 3 What's new 4 System requirements 5 Upgrading 6 Supported versions and conversions 7 Resolved issues 13 Known issues 15
FortiConverter 6.0.2 Release Notes 2 Fortinet Technologies Inc. Introduction
Introduction
This document provides installation instructions and requirements, resolved issues, and known issues for FortiConverter 6.0.2, build 0115.
FortiConverter provides a solution for the conversion of numerous firewall configurations into a FortiOS- compatible format. It currently supports the conversion of Cisco, Check Point, Juniper, SonicWall, Palo Alto Networks, McAfee, Forcepoint, Trend Micro, Vyatta, Sophos, WatchGuard, Huawei, Alcatel-Lucent Brick, and FortiGate configurations. FortiConverter can also convert Snort IPS rules to custom signatures; Also, the Bluecoat proxy, and IBM IPS sensor.
FortiConverter 6.0.2 provides a browser/server-based application. As a web application design, the database allows you to save conversions and support large source-firewall configurations. The new GUI design is intended to improve usability and provide a framework for new functionality.
The FortiConverter 6.0.2 application now supports FortiOS from 6.0 to 6.4. Users can utilize the migration report to review the results of 3rd party vendors conversion. In the REST API feature, we now support connecting and authorizing the FortiGate device by API token.
For all conversions, you can complete conversion and view the results on the tuning page. All other functionality is disabled until you upgrade to the full license. In most cases, this limited functionality is sufficient to evaluate the product.
If your license expires and you do not renew the license, the functionality reverts to the trial version.
FC-10-CON01-401-01-12 1-year multi-vendor configuration migration tool for building FortiOS configurations, Windows OS is required. FC-10-CON01-401-02-12 1-year renewal multi-vendor configuration migration tool for building FortiOS configurations, Windows OS is required.
For additional documentation, please visithttps://docs.fortinet.com/product/forticonverter/.
FortiConverter 6.0.2 Release Notes 3 Fortinet Technologies Inc. What's new
What's new
This release contains the following new features and enhancements:
l Add support of generating migration reports for 3rd party vendor’s conversion.
l Add support for using API token to connect and authorize the FortiGate Device.
l Bluecoat conversion enhancement.
l Zone configuration on the tuning page.
l The PostgreSQL version is upgraded from 9.6 to 12.4.
l The Python version is upgraded to 3.7.
FortiConverter 6.0.2 Release Notes 4 Fortinet Technologies Inc. System requirements
System requirements
FortiConverter is tested to run on the following Microsoft Windows 64-bit platforms:
l Microsoft Windows 10
l Microsoft Windows 8
l Microsoft Windows 7
l Microsoft Windows Server 2019
l Microsoft Windows Server 2016
l Microsoft Windows Server 2012 If your Windows OS or Windows Server version isn't listed above, contact FortiConverter support at fconvert_ [email protected].
FortiConverter 6.0.2 Release Notes 5 Fortinet Technologies Inc. Upgrading
Upgrading
FortiConverter has no special upgrade requirements. You may overwrite an existing installation with a different version. However, please do not uninstall the existing version, as the original DB binaries are required during database migration. *Note that FortiGate-to-FortiGate REST-API install is not backward compatible. You won’t be able to enter the FortiGate conversion page, which was run by the old version of FortiConverter.
For additional support, contact [email protected].
FortiConverter 6.0.2 Release Notes 6 Fortinet Technologies Inc. Supported versions and conversions
Supported versions and conversions
FortiConverter can translate configurations from the following vendors and models. Unless noted as an exception below, conversions only support IPv4 unicast policy. If FortiConverter cannot properly translate some of the supported configurations listed from below table, please kindly contact our product support email alias [email protected]
Vendor Models Versions Convertible Objects
Alcatel- Brick ALSMS v9.x l Interface (physical, Lucent logical, loopback, PPPoE)
l Addresses & Address Books
l Partitions
l Services & Service Books
l Static Routes
l Zone rule set
Bluecoat SGOS 6.5.10 l Addresses & Address 6.7.4 Groups l Proxy Address (group)
l Service
l Proxy Policy
CheckPoint SmartCenter NGFP1 (4.0) to NGX l Interface
R80 l Addresses & Address Groups
l Local Users & Groups
l NAT
l Negate Cell
l Policies (rulebases.fws/*.csv)
l RADIUS, TACACS+, LDAP Provider-1 NGX R65 to R80 l Rules (rulebases.fws/*.csv)
l Schedules
l Services & Service Groups
l Static Routes
l VPN communities (IPSec site-to-site)
FortiConverter 6.0.2 Release Notes 7 Fortinet Technologies Inc. Supported versions and conversions
Vendor Models Versions Convertible Objects
Cisco ASA 7.x/8.x/9.x l ACLs
l Addresses & Address FWSM 3.x/4.x Groups
l DHCP Servers
l DNS Servers IOS 10.x to 12.x l Interface l IP Pools
l Local Users & Groups 15.x l NAT (Central NAT)
l RADIUS, TACACS+, PIX 5.x/6.x/7.x/8.x LDAP l Services & Service Groups
l Static Routes
Firepower 6.x l VPN
IOS XR 4.x/5.x/6.x l Addresses & Address Groups & FQDNs
l Interface
l IPPools
l Policies
Nexus 5.2/6.x/7.x l Services & Service Groups
l Static Routes
FortiGate FortiOS FOS5.2 and above FortiGate configuration can be converted based on the version of the target FortiGate device (We suggest to migrate to FortiOS 6.0 and above). However, note that
l Older features might be deprecated and may not be fully converted over.
l The review is necessary. After importing the converted
FortiConverter 6.0.2 Release Notes 8 Fortinet Technologies Inc. Supported versions and conversions
Vendor Models Versions Convertible Objects
configuration, any CLI commands that have not successfully imported can be reviewed on the page.
l For more details, please see "FortiGate configuration migration" section in the admin guide.
Huawei USG Series l Interface
l Zone
l Addresses & Address Groups
l Services & Service Groups
l Policy
l Route
l Zone
l IPSec Policy (VPN)
l Security Context
l Nat Policy (SNAT)
l Nat Server (VIP)
IBM PAM IPS Sensor
Juniper SSG/ISG ScreenOS 4.x, 5.x, 6.x l Addresses & Address Groups & FQDNs
l DHCP Servers & Clients & Relays Interfaces
l Static Routes
l Services & Service Groups
l Policies
l VIPs/MIPs
l NAT
l IP Pools
l VPN
l Local Users & Groups
l RADIUS & LDAP
l Zones
SRX JunosOS 10.x to 18.x l Addresses & Address Groups & FQDNs
l DHCP Servers & Client
FortiConverter 6.0.2 Release Notes 9 Fortinet Technologies Inc. Supported versions and conversions
Vendor Models Versions Convertible Objects
& Relay
l Interfaces
l IP Pools
l Local Users & Groups
l NAT
l Policies
l RADIUS & LDAP
l Services & Service Groups
l Static Routes
l VIPs/MIPs
l VPN (IPSec site-to- site)
l Zones
l Routing-instances (virtual-router)
MX Juno OS 10.x to 12.x l Addresses & Address Groups & FQDNs
l Interfaces
l IP Pools
l Policies
l Services & Service Groups
l Static Routes
McAfee Sidewinder 7.x, 8.x l Addresses & Address Groups & FQDNs
l Interfaces
l IP Pools
l Policies
l Services & Service Groups
l Static Routes
Forcepoint Stonesoft 5.7 - 6.7 l Addresses & Address Groups
l Interfaces
l Policies/ Sub-policy
l Alias
l Services & Service Groups
l Static Routes
l NAT
Palo Alto PAN OS PAN-OS 1.x to 8.x l Addresses & Address Networks Groups & FQDNs
FortiConverter 6.0.2 Release Notes 10 Fortinet Technologies Inc. Supported versions and conversions
Vendor Models Versions Convertible Objects
l Interfaces
l Local Users & Groups
l NAT
l Policies
l Schedules
l Static Routes
l Services & Service Groups
l Zones
l VPN
l Panorama
Snort IPS rules
SonicWall TZ Series SonicOS 4.x, 5.x, 6.x l Addresses & Address NSA Series Groups & FQDNs
l DHCP Servers & Clients & Relays
l Interfaces
l Local Users & Groups
l NAT
l Policies
l Schedules
l Services & Service Groups
l Static Routes
l Zones
l VPN (IPSEC site to site)
l SSLVPN
Sophos XG Series SFOS 17.0 - 17.5 MR3 l Interface
l Zone
l Addresses & Address Groups Cyberoam Cyberoam OS 10.6.3 l Service & Service onward Groups
l Users & User Groups
l Policy
Tipping IPS 4.5 l Addresses & Address Point Groups
l Policies
l Services & Service Groups
Vytta VyOS 5.2 to 6.7 l Interface
FortiConverter 6.0.2 Release Notes 11 Fortinet Technologies Inc. Supported versions and conversions
Vendor Models Versions Convertible Objects
l Zone
l Addresses & Address Groups
l Services & Service Groups
l Policy
l Route
WatchGuard Firebox Fireware 11.3 to 12.6 l Interfaces
Series l Addresses & Address XTM Series Groups
l Services & Service Groups
l Policies
l Static Routes
l IPSec VPN
l NAT
Exception
l Check Point to FGT conversion can support IPv4 multicast policy.
l Check Point, Cisco, and Juniper (Junos only) to FGT conversion can support IPv6 unicast policy.
FortiConverter 6.0.2 Release Notes 12 Fortinet Technologies Inc. Resolved issues
Resolved issues
The resolved issues listed below don't list every bug that has been corrected with this release. For inquires about a particular bug, please email support at [email protected].
Bug ID Description
645199 Sonicwall: DHCP settings causes the Fortigate to enter a loop which renders it inaccessible
607831 Stonesoft: Duplicate IP pools are not removed after conversion.
607885 Stonesoft: Incorrect VDOM association.
607869 Stonesoft: Undefined address referenced.
640768 Cisco: SSL VPN port is incorrectly mapped
624008 Cisco IOS: VLANs don’t have any physical interface associated with them.
642395 Check Point conversion central NAT interface issue.
641632 Sonicwall: Displaying warning message for DHCP Server settings.
646220 Central NAT cannot create a new entry or copy config from one VDOM to another.
645640 Cisco Security Context conversion does not return any configuration.
608680 Hauwei: IPSEC conversion issues.
647064 Converted IP-pools and address-groups cause conflict when the names are the same for both.
647068 Converting VPN routes with route based VPN’s does not route the traffic to VPN tunnels.
647066 "aaa-server" with the same name should be added as secondary/tertiary rather than adding individuals under one group.
647069 FortiConverter creates a user with password 12345 and assign to the user- group of the group-policy name.
638316 Cisco: Identity NAT support while using central NAT feature.
649418 Duplicate VIPs for Palo Alto paired static NAT conversions.
647258 Checkpoint dynamic object support.
649633 PPPoE interfaces are not converted in Cisco ASA.
632040 PAN conversion of VIPs need to be enhanced when the central NAT mode is enabled.
FortiConverter 6.0.2 Release Notes 13 Fortinet Technologies Inc. Resolved issues
Bug ID Description
632155 PAN - source & destination NAT policy should be changed as is.
593010 Ability to convert Sidewinder firewall config.
601776 Juniper SRX IPSEC VPN conversion not complete.
595980 ScreenOS VIP objects are converted into "load-balance" VIPs.
649982 Cisco: Invalid IPSec phase2 name in VPN IPSec Forticlient settings.
597816 Policy statements in SRX should be converted into prefix-lists + route- maps.
650034 Interface mapping does not accept interfaces that are manually typed in
647065 FortiConverter does not take into account multiple address pools defined in a tunnel-group.
518073 Missing firewall VIPs after conversions.
640421 FortiConverter is not converting Cisco ASA SSL anyconnect configuration in the right way.
650909 Interfaces removed on FortiConverter Interface page still appear in policies.
651705 Where policy number is started at 1 additional policies created during conversion create duplicate numbered policies.
652400 Make "New Line in Comments" a conversion option.
655417 Palo Alto: VPN DDNS gateway needs to be set.
655971 Getting "string value is too long. the size is 48, the limit is 35" for vpn ipsec forticlient.
655646 Sophos: aggregate interfaces not getting converted.
655408 Cisco Context: unable to select physical interfaces for interface mapping.
655967 Juniper SSG: undefined service objects referenced in policies.
655418 Palo Alto: Incorrect interface associated with a static route.
656831 Juniper SSG: remove incomplete Radius server configuration.
550192 System admin account & trusted hosts shall be converted properly while FGT to FGT conversion.
590017 Watchguard: Firewall policies fail because of undefined interfaces
607123 FGT-FGT conversion cannot parse out FOS version and build info
FortiConverter 6.0.2 Release Notes 14 Fortinet Technologies Inc. Known issues
Known issues
The issues listed below do not include every known bug. For questions about a particular bug, please email FortiConverter support at [email protected].
Bug ID Description
580729 The Check Point original policy still exists after central NAT merge.
594510 Support dynamic and DDNS type of Checkpoint VPN communities.
668537 Support prefix, suffix, replace for addresses, address groups, services, service groups
667112 ASA Conversion - Suggestion to convert multiple contexts sharing an interface into EMAC port/vlan.
649871 NGFW policy mode option for PAN conversion.
666367 Device summary GUI should highlight errors and hyperlink to associated Tuning page with highlighted errors.
551341 Ability to Convert Cisco Sourcefire IPS rules to Fortigate IPS rules.
655413 Palo Alto: Extra Interfaces created in converted configuration.
580490 Stonesoft Conversions - resolve source and destination interfaces in firewall policy.
FortiConverter 6.0.2 Release Notes 15 Fortinet Technologies Inc. Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.