top of page
Search

Migrating from Check Point to FortiGate: Step-by-Step Guide

  • Mar 20
  • 3 min read




requires careful planning due to differences in architecture, policies, and configuration styles. Below is a structured approach to ensure a smooth transition.



Step 1: Pre-Migration Planning

Assess the Current Check Point Configuration

  1. Collect existing configurations:

    • Run the following command:

    • Export firewall policies, NAT rules, VPN settings, objects, and routes.

    • Use WinSCP to log in to Check Point and copy configuration files to the local PC.








  1. Extract key configurations:

    • Object groups: Copy the required object groups.

To COPY Object group


  • Policies: Copy all user and identity policies.

To Copy policy -





  • Routes and interfaces:

    • Extract routing information:

    • Extract interface configuration:











  1. Identify unused rules and objects to clean up before migration.




Determine FortiGate Requirements

  • Check hardware/software compatibility.

  • Decide on a GUI-based migration tool or a manual approach.

  • Verify license and subscription requirements (IPS, AV, Web Filtering, etc.).

Backup Check Point Configuration

  • Use Check Point CLI to save configurations:

Use Check Point CLI: clish -c "show configuration" > config.txt



  • Export full configuration and policy using Check Point SmartDashboard.









Step 2: Convert Check Point Configuration to FortiGate

Option 1: Using FortiConverter Tool (Recommended)

  1. Download and install FortiConverter from Fortinet’s support site.



  1. Select Check Point as the source firewall.



  1. Upload configuration files extracted via WinSCP.








  1. Import the Check Point configuration files into FortiConverter.




Click on Next-




  1. Review and validate the converted rules and objects, including:

    • Interfaces

    • NAT rules

    • Gateways

    • Cluster members

    • Objects

    • Policies





  1. Map interfaces and verify policies.



Mapping interface as well if anything incorrect -






  1. Export the FortiGate configuration.



  1. Log into FortiGate and import the converted configuration.





  1. Verify the applied configuration before deployment.



Option 2: Manual Migration (If FortiConverter is Not Available)

Objects and Address Groups

  • Convert objects:

Convert host, network, and group objects into FortiGate format: config firewall address

    edit "Web_Server"

    set subnet 192.168.1.10 255.255.255.255

next

  • Convert address groups:

Add address groups: config firewall addrgrp

    edit "Web_Servers"

    set member "Web_Server1" "Web_Server2"

Next






Firewall Policies

  • Translate access control rules:

Translate Check Point access control rules into FortiGate policies: config firewall policy

    edit 1

    set srcintf "port1"

    set dstintf "port2"

    set srcaddr "LAN_Network"

    set dstaddr "ANY"

    set action accept

    set schedule "always"

    set service "ALL"

next


NAT Configuration

  • Convert NAT rules:

Convert Check Point NAT rules: config firewall ippool

    edit "Web_Server_NAT"

    set startip 203.0.113.10

    set endip 203.0.113.10

next

  • Apply NAT policies:

Apply NAT policy: config firewall policy

    edit 2

    set srcintf "wan1"

    set dstintf "port1"

    set srcaddr "ALL"

    set dstaddr "Web_Server"

    set action accept

    set nat enable

    set ippool enable

    set poolname "Web_Server_NAT"

Next


VPN Migration

  • Extract VPN configurations from Check Point.

Configure IPSec VPN on FortiGate: config vpn ipsec phase1-interface

    edit "Site-to-Site-VPN"

    set interface "wan1"

    set peertype any

    set remote-gw 198.51.100.2

    set psksecret mysecretkey

next


  • Configure IPSec VPN on FortiGate:

  • Configure phase 2 settings.

Route Migration

  • Export static routes from Check Point:

Export static routes from Check Point: netstat -rn

  • Configure static routes on FortiGate:


Configure on FortiGate: config router static

    edit 1

    set dst 10.10.10.0/24

    set gateway 192.168.1.1

next



Step 3: Testing and Validation

  1. Deploy the configuration in a test environment.

  2. Validate firewall rules by simulating real-world traffic.

  3. Check logs and debugging to confirm functionality:

  4. Compare old and new behavior to ensure smooth traffic flow.



Step 4: Cutover and Go-Live

  1. Schedule migration during maintenance hours.

  2. Switch traffic to FortiGate and monitor for anomalies.

  3. Ensure logging and monitoring tools are properly configured.

  4. Optimize performance by enabling security features (IPS, Web Filtering, etc.).



Step 5: Post-Migration Activities

  1. Monitor traffic logs for anomalies.

  2. Fine-tune policies based on post-migration insights.

  3. Conduct a security audit to ensure compliance.



Conclusion

Migrating from Check Point to FortiGate involves careful planning, configuration conversion, and validation. Using FortiConverter simplifies the process, but a manual approach is also feasible with attention to detail. Always test before going live to prevent disruptions.

Art last complete reading post take a quizz to check your knowledge


Which tool is recommended for automating the migration process from Check Point to FortiGate?

  • SmartDashboard

  • FortiAnalyzer

  • FortiConverter

  • WinSCP


Comments

Tags

bottom of page