Beruflich Dokumente
Kultur Dokumente
PAGE 2
Introduction
There is often a reluctance to change firewall vendors due to the perception that the migration process is difficult. Indeed,
there is no point hiding the fact that moving to a new vendor requires careful consideration. But concern over the potential
pain of migration should not stand in the way of adopting new security technologies. The purpose of this document is to
describe the best practices for performing such migrations, the benefits a migration process can achieve, and ultimately to
ease the migration process itself.
When faced with migrating to a new firewall vendor, the person who signs off the security budget may consider simply
renewing the existing solution the safer route (from a career perspective). The drawback of such a decision is being stuck
with a vendor who has a lack of vision and has failed to innovate to stay abreast of changes to the networking environment
and threat landscape. Whether it is a lack of new features in the hardware (such as line-rate firewall throughput or very low
latency) or software (such as application control, data loss prevention and WAN optimization), staying with a legacy firewall
has its costs. These costs include increased deployment and configuration challenges, management difficulties, and the
need to complement the solution with additional point products.
The additional functionality and performance a FortiGate solution provides is a strong driver to justify the migration effort. Its
per-device pricing means that you will be able to additional functionality, such as antivirus/antispyware, application control,
web filtering, intrusion prevention, antispam, WAN optimization, or IPSec and SSL VPN, at a similar or lower renewal cost to
your existing firewall-only vendor.
PAGE 3
reductions in rack space, power, and cooling requirements. Reducing the amount of space and power consumed is of
critical importance in any data enter.
Fortinet can take the consolidation one further step by consolidating multiple devices into a single appliance via the use
of Virtual Domains (VDOMs). FortiGate VDOM technology allows multiple logical firewalls to be run on a single physical
device, reducing the firewall footprint even further.
Feature Rich Security
The features and benefits of a FortiGate solution are described in detail at www.fortinet.com, but Figure 1 below shows the
wide range of security and networking technologies that are integrated into the FortiGate platform:
When considering a Fortinet solution, you may currently have requirements for only one or two of the features described
above. However, there may be an opportunity at a later date to consolidate additional functionality (or add security services
not currently provided with your existing infrastructure) in order to realize additional cost savings. The Fortinet solution is
infinitely flexible; the remaining features are available at any time should you need to switch them on to help resolve an
immediate need, increasing the future ROI significantly.
Threat evolution
Security is a dynamic industry and new threats are developing and evolving constantly. The best defense against such a
dynamic threat is a dynamic threat prevention system. Consider the botnet, the scourge of the security industry and source
of most spam and denial of service attacks. Fortinet protect against such activity via multiple layers of complimentary
security:
Antivirus: Prevents infections that lead to the install of the botnet software
Antispam: Prevents the resulting spam from the botnets (primary source of spam)
Application Control: Detects and blocks botnet activity on the network
Intrusion Prevention: Prevents dial home, propagation activity and known exploits
Web Filtering: Blocks access to known malware and drive-by download sites
The FortiGate solution, together with the FortiAnalyzer logging and reporting system provides deep visibility into the security
and activity on network. Together these facilities can be used to enable compliance with key standard such as PCI, SOX,
and Data Protection. As the standards have evolved, so too have Fortinet solutions to provide deeper visibility and greater
reporting capabilities to help adhere to these standards.
PAGE 4
Knowledge Base
For the more technical questions and tips and tricks there is the Fortinet Knowledge Base http://kb.fortinet.com/. This is
a system maintained by the Fortinet Support TAC and contains details of the most common issues and how to resolve
them and information such as interoperability guides (how to VPN to a Cisco PIX).
There is also a link to the FortiTips site, containing short videos describing everything from how to cable the FortiGate,
how to configure the external interface and how to back the system up through to the more complicated configuration of
the IPS and using Identity Based Policies.
Training
Fortinet offer many levels of product training for the varying levels of requirements. There are the simple FortiTips
described above as well as a host of free self-paced training videos to be found on the Fortinet Campus
(http://campus.training.fortinet.com/) These include more detailed courses such as FortiGate 101, Introduction to
Cryptography and IPSec Debugging. They are free of charge and can be accessed at your leisure.
Should you have a requirement for more formal, complete, classroom style training, there are several courses and
exams which can be sat to achieve your FCNSA and FCNSP qualifications. These courses are run both in house and
via our Authorized Training Centers across the globe, details of which can be found via
http://campus.training.fortinet.com/.
PAGE 5
The success to any project, particularly firewall migration is planning. A common methodology used in such projects is the
Plan Do Check Act cycle 1, illustrated by Figure 2. It is an iterative cycle so multiple passes can be made:
Plan
Audit network
Review the existing policy
Develop test plan
Do
Migrate the policy to the new hardware
Check Validate the policy
Act
Make necessary changes following validation
Plan
Go live
Following such a structured methodology is useful to minimize disruption to the network users and reduce risk. Some of the
common steps in this cycle are described in more detail below.
Information Gathering
It is always a good idea to perform a full network audit prior to any migration. This should include:
Full back up of all security systems (including switches, routers) in case a back-out needs to be performed.
Physical and logical network diagram with visual audit
Understanding exactly where cables run in the network and verifying they are all correctly labeled is essential to avoid
mistakes and unnecessary downtime during the upgrade. Dont overlook simple things such as:
Do I have the right fiber (single/multi mode) and right connectors (LC, FC, MTRJ, SC, ST)?
Do I have spare cables? (in the heat of the moment, it is simple mistake to break an RJ-45 connector or damage
a fiber)
No matter how securely a FortiGate is configured in the network, it cannot help if it has been bypassed; visually
checking where the device sits in the network in relation to other devices will ensure you are maintaining security and
verify the network diagram is as built. Details of all networks including subnet masks should be documented at this
point to ensure that the replacement device is configured with the correct information.
1 http://en.wikipedia.org/wiki/PDCA
PAGE 6
Configuration Analysis
Given the fact that you are going to the effort to migrate the firewall policy, it would be pointless to migrate it verbatim. It
is a perfect time to verify that the policy adheres to the corporate standard and that temporary rules have not been
accidentally left in place and additional permissions given to users are not being misused. Over time, the live
configuration tends to creep away from the security policy so check the existing firewall rules and functions to see what
is out of conformance and needs removing, what is superfluous, and what needs to be added.
FortiGate firewalls support transparent user based authentication with Active Directory so you can remove all of those
static IP addresses that have been created for individual users and move to a more dynamic, location independent
method of filtering to reduce the risk of incorrectly applied policy.
Object and Policy Migration
Whilst we have suggested some level of manual review is included in the policy migration, it can be useful to be able to
automatically migrate simply between another vendors format and the FortiGate format. The FortiGate policy format is
text based and can easily be cut and pasted into from other vendor formats however, responding to the high customer
demand to migrate away from other vendors, Fortinet have released an automatic configuration migration tool at
https://convert.fortinet.com/ to simplify this process. Supporting Cisco ACLs, PIX, ASA, Check Point and Juniper, the
Converter can securely upload and convert the policy into the Fortinet format.
PAGE 7
Conclusion
Migrating firewall vendors is a daunting task which some rely on to maintain their customer base. Knowing this, Fortinet
have provided a complete toolset to aid the migration to Fortinet, from free self paced training to rule set conversion utilities.
The Fortinet solution is so feature rich that migrating away from your existing vendor makes both technical and commercial
sense, and with careful planning and help along the way from Fortinet, it neednt prevent you from making the leap. Tradein incentive programs are available from Fortinet to further help the process so contact your Fortinet account manager today
to see just how much you can benefit from a Fortinet solution.
WP-FW-UPGRADE-R1-201008