FortiConverter - Release Notes

Version 6.0.0
 TABLE OF CONTENTS

Introduction 3
What's new 5
System requirements 6
Upgrading 7
Supported vendors & configuration objects 8
Resolved issues 13
Known issues 14

FortiConverter 6.0.0 Release Notes 2

Fortinet Technologies Inc.
Introduction

Introduction

This document provides installation instructions and caveats, resolved issues, and known issues for
FortiConverter 6.0.0, build 0035.

FortiConverter provides a solution for the conversion of numerous firewall configurations into a FortiOS-
compatible format. It currently supports the conversion of Cisco, Check Point, Juniper, SonicWall, Palo Alto
Networks, McAfee, Forcepoint, Trend Micro, Vyatta, Sophos, WatchGuard, Huawei, Alcatel-Lucent Brick, and
FortiGate configurations.
FortiConverter can also convert Snort IPS rules to custom signatures and Bluecoat proxy.

FortiConverter 6.0.0 provides a browser/server-based application. Start from this version, we’re no
longer supporting the legacy application. Designed as a web application design, the database allows you
to save conversions and support large source-firewall configurations. The new GUI design is intended to
improve usability and provide a framework for new functionality.

The installer is available on the support site:

FortiConverterSetup_6.0.0_Build0035.py.exe is the new application.

The new applications use the same license key as a legacy tool and should install on the same host.
The FortiConverter 6.0.0 new application supports the remaining vendors such as Cisco IOS XR
and Nexus, Alcatel-Lucent Brick, McAfee Sidewinder, Forcepoint Stonesoft, and Trend Micro
TippingPoint.
FortiGate to FortiGate migration is based on REST APIs. With the new designed import feature, the
tool is able to directly import converted configurations to the target FortiGate device running with
FortiOS v6.0.0 and thereafter.
The FortiGate bulk conversion is also supported simultaneously to convert more than one source configuration
with the same model to establish the restorable configurations.

For all conversions, you can complete conversion and view the results on the tuning page. All other functionality
is disabled until you upload the full license. In most cases, this limited functionality is sufficient to allow you to
evaluate the product.
*Note that FortiGate-to-FortiGate migration is no longer an extended support to tune or download the
converted configuration on the import page.

If your license expires and you do not renew the license, the functionality
reverts to the trial version.

FortiConverter 6.0.0 Release Notes 3

Fortinet Technologies Inc.
Introduction

FC-10-CON01-401-01-12 1-year multi-vendor configuration migration tool for building FortiOS configurations,
Windows OS is required.
FC-10-CON01-401-02-12 1-year renewal multi-vendor configuration migration tool for building FortiOS
configurations, Windows OS is required.

For additional documentation, please visit https://docs.fortinet.com/product/forticonverter/.

FortiConverter 6.0.0 Release Notes 4

Fortinet Technologies Inc.
What's new

What's new

This release contains the following new features and enhancements:

l Cisco IOS XR and Nexus, Alcatel-Lucent Brick, McAfee Sidewinder and Trend Micro TippingPoint migrate
to the new application. The legacy tool is no longer supported in this version.
l Fortinet import can edit the configuration in the import page.
l Fortinet import upgrades to a more clearly defined four status categories: success, warning, error, and
ignore after running the import.
l Juniper SRX adds an option to use the Zone name to distinguish duplicate address objects.
l Huawei now supports converting VRF as a VDOM
l Supports Snort3 IPS rule conversions
l Supports to generate the difference(diff) between two similar conversions.
l Supports optimization option to sort out the duplicate contents in address and service.

FortiConverter 6.0.0 Release Notes 5

Fortinet Technologies Inc.
System requirements

System requirements

FortiConverter is tested to run on the following Microsoft Windows 64-bit platforms:

l Microsoft Windows 10
l Microsoft Windows 8
l Microsoft Windows 7
l Microsoft Windows Server 2019
l Microsoft Windows Server 2016
l Microsoft Windows Server 2012
If your Windows OS or Windows Server version isn't listed above, contact FortiConverter support at fconvert_
[email protected].

FortiConverter 6.0.0 Release Notes 6

Fortinet Technologies Inc.
Upgrading

Upgrading

The new application for FortiConverter has no special upgrade requirements. You may overwrite an existing
installation with a different version.
If you want to upgrade the SQL version, you may have to uninstall the tool and reinstall, the conversion data
would not be lost.
For additional support, contact [email protected].

FortiConverter 6.0.0 Release Notes 7

Fortinet Technologies Inc.
Supported vendors & configuration objects

Supported vendors & configuration objects

FortiConverter can translate configurations from the following vendors and models.
l In some cases, FortiConverter can't translate some parts of the configuration because of dependencies or
unsupported syntax and you must manually convert them.
l If the number of objects exceeds the maximum valid length for FortiGate or FortiManager, FortiConverter
trims them.
Unless noted as an exception below, conversions only support IPv4 unicast policy.

Vendor Models Versions Convertible Objects

Alcatel-Lucent Brick ALSMS v9.x l Interface (physical, logical, loopback,

PPPoE)
l Addresses & Address Books
l Partitions
l Services & Service Books
l Static Routes
l Zone rule set

Bluecoat SGOS 6.5.10 l Addresses & Address Groups

6.7.4 l Proxy Address (group)
l Service
l Proxy Policy

CheckPoint SmartCenter NGFP1 (4.0) l Interface

to NGX R80 l Addresses & Address Groups
l Local Users & Groups
l NAT
l Negate Cell
l Policies (rulebases.fws/*.csv)
Provider-1 NGX R65 to l RADIUS, TACACS+, LDAP
R80 l Rules (rulebases.fws/*.csv)
l Schedules
l Services & Service Groups
l Static Routes
l VPN communities (IPSec site-to-site)

FortiConverter 6.0.0 Release Notes 8

Fortinet Technologies Inc.
Supported vendors & configuration objects

Vendor Models Versions Convertible Objects

Cisco ASA 7.x/8.x/9.x l Interface

l ACLs
FWSM 3.x/4.x
l Addresses & Address Groups
IOS 10.x to 12.x l DHCP Servers
15.x l DNS Servers
l DNS Servers Interfaces
PIX 5.x/6.x/7.x/8.x
l IPPools Local Users & Groups
l NAT
l RADIUS, TACACS+, LDAP
l Services & Service Groups
l Static Routes
l VPN
l SSLVPN (ASA only)

IOS XR 4.x/5.x/6.x l Addresses & Address Groups & FQDNs

l Interface
Nexus 5.2/6.x/7.x
l IP Pools
l Policies
l Services & Service Groups
l Static Routes

FortiGate FortiOS FOS5.2 and FortiGate configuration can be converted

above based on the version of the target FortiGate
device (We suggest to migrate to FortiOS 6.0
and above).
However, note that
l Older features might be deprecated and
may not be fully converted over.
l The review is necessary. After importing
the converted configuration, any CLI
commands that have not successfully
imported can be reviewed on the page.
l For more details, please see "FortiGate
configuration migration" and "Reviewing
errors after FortiGate import" sections in
admin guide.

FortiConverter 6.0.0 Release Notes 9

Fortinet Technologies Inc.
Supported vendors & configuration objects

Vendor Models Versions Convertible Objects

Huawei USG Series l Interface

l Zone
l Addresses & Address Groups
l Services & Service Groups
l Policy
l Route
l Zone
l IPSec Policy (VPN)
l Security Context
l Nat Policy (SNAT)
l Nat Server (VIP)

Juniper SSG/ISG ScreenOS l Addresses & Address Groups & FQDNs

4.x, 5.x, 6.x l DHCP Servers & Clients & Relays
Interfaces
l Static Routes
l Services & Service Groups
l Policies
l VIPs/MIPs
l NAT
l IP Pools
l VPN
l Local Users & Groups
l RADIUS & LDAP
l Zones

SRX JunosOS 10.x l Addresses & Address Groups & FQDNs

to 18.x l DHCP Servers & Client & Relay
l Interfaces
l IP Pools
l Local Users & Groups
l NAT
l Policies
l RADIUS & LDAP
l Services & Service Groups
l Static Routes
l VIPs/MIPs
l VPN (IPSec site-to-site)

FortiConverter 6.0.0 Release Notes 10

Fortinet Technologies Inc.
Supported vendors & configuration objects

Vendor Models Versions Convertible Objects

l Zones
l Routing-instances (virtual-router)

MX Juno OS 10.x l Addresses & Address Groups & FQDNs

to 12.x l Interfaces
l IP Pools
l Policies
l Services & Service Groups
l Static Routes

McAfee Sidewinder 7.x, 8.x l Addresses & Address Groups & FQDNs
l Interfaces
l IP Pools
l Policies
l Services & Service Groups
l Static Routes

Forcepoint Stonesoft 5.7 l Addresses & Address Groups

l Interfaces
l Policies/ Sub-policy
l Alias
l Services & Service Groups
l Static Routes
l NAT

Palo Alto Networks PAN OS PAN-OS 1.x l Addresses & Address Groups & FQDNs
to 8.x l Interfaces
l Local Users & Groups
l NAT
l Policies
l Schedules
l Static Routes
l Services & Service Groups
l Zones
l VPN
l Panorama

Snort l IPS rules

SonicWall TZ Series SonicOS 4.x, l Addresses & Address Groups & FQDNs
NSA Series 5.x, 6.x l DHCP Servers & Clients & Relays
l Interfaces
l Local Users & Groups
l NAT
l Policies
l Schedules
l Services & Service Groups

FortiConverter 6.0.0 Release Notes 11

Fortinet Technologies Inc.
Supported vendors & configuration objects

Vendor Models Versions Convertible Objects

l Static Routes
l Zones
l VPN (IPSEC site to site)
l SSLVPN

Sophos XG Series SFOS 17.0 l Interface

l Zone
l Addresses & Address Groups
Cyberoam Cyberoam OS l Service & Service Groups
10.6 l Users & User Groups
l Policy

Tipping Point IPS 4.5 l Addresses & Address Groups

l Policies
l Services & Service Groups

Vytta VyOS 5.2 to 6.7 l Interface

l Zone
l Addresses & Address Groups
l Services & Service Groups
l Policy
l Route

WatchGuard Firebox Fireware 11.3 l Interfaces

Series to 12.1 l Addresses & Address Groups
XTM Series l Services & Service Groups
l Policies
l Static Routes

Exception

l Check Point to FGT conversion can support IPv4 multicast policy.

l Check Point, Cisco, and Juniper (Junos only) to FGT conversion can support IPv6 unicast policy.
l Juniper (Junos only) can support converting the consolidated policy to FortiOS v6.2 configuration.

FortiConverter 6.0.0 Release Notes 12

Fortinet Technologies Inc.
Resolved issues

Resolved issues

The resolved issues listed below don't list every bug that has been corrected with this release. For inquires
about a particular bug, please email support at [email protected].

Bug ID Description

622043 Huawei - Policy names should be unique

621965 Huawei - Virtual IP to be used on FGT interface while converting whenever

VRRP is used

621062 Cisco: VPN Phase 1 setting proposal fails

620276 Cisco: Unable to configure firewall VIP

620273 Cisco: Unable to set the dhgrp for IPSec VPN tunnels

618262 Huawei - VRF to be converted as a VDOM

616912 Juniper SRX conversion delete source VDOM  does not delete

616910 NAT using "virtual zones" in Juniper SRX is not translated to FortiOS

616909 Central SNAT IP Pools are not created in this version of FCON

614359 FortiConverter "merge duplication objects" option

614358 Juniper SRX -Destination NAT src-filter does not have all the subnets

608492 Change IPSEC Phase1 names during policy conversions

FortiConverter 6.0.0 Release Notes 13

Fortinet Technologies Inc.
Known issues

Known issues

The issues listed below do not include every known bug. For questions about a particular bug, please email
FortiConverter support at [email protected].

Bug ID Description

622970 Sonicwall: "User device" command not supported in FW 6.2.2

622961 Sonicwall: Missing quotation for address referenced in Static route

620260 Trimming address groups and service groups does not update in the tuning
page

619958 Migrate Alcatel-Lucent conversion to the new application tool

619290 having some problem to convert Tipping Point firewall configuration.

619246 Support for Snort3 on FortiConverter

616036 Cisco: Router static failed because IPSEC VPN renamed doesn't reflect in
static routes

612161 Cisco IOS NAT format currently not supported from config file

611841 FortiConverter having problem to converting Checkpoint configuration 

608516 Support Cisco ASA user-group keyword in ACL

607885 Stonesoft: Incorrect vdom association

607869 Stonesoft: Undefined address referenced

607831 Stonesoft: Duplicate IP pools

607271 Cisco ASA Convert User VPN Configuration

607261 Converter prompted "Security Context Error" with Cisco ASA configuration
file

607123 FGT-FGT conversion cannot parse out FOS version and build info

FortiConverter 6.0.0 Release Notes 14

Fortinet Technologies Inc.
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.