Hot!migration from Checkpoint 3000 to Forti100E

Author
Arnold77
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/11/29 13:23:36
  • Status: offline
2019/11/30 05:31:10 (permalink)
0

migration from Checkpoint 3000 to Forti100E

Hello everybody,

 
In my environment i have two appliances Checkpoint 3000 in cluster and Management server as VM, version R80.10.
I want to rid of Checkpoint firewall and replace them with forti100E.
Does it possible to migrate completely from Checkpoint to Forti100E with forticonverter without issues?
What is the best way to make this migration successful?
Does anyone make this migration process? 
 
Best Regards.
#1

4 Replies Related Threads

    Heaven Knows
    New Member
    • Total Posts : 7
    • Scores: 2
    • Reward points: 0
    • Joined: 2017/09/22 20:58:06
    • Status: offline
    Re: migration from Checkpoint 3000 to Forti100E 2019/12/01 20:27:54 (permalink)
    0
    Arnold77

    Hello everybody,

     
    In my environment i have two appliances Checkpoint 3000 in cluster and Management server as VM, version R80.10.
    I want to rid of Checkpoint firewall and replace them with forti100E.
    Does it possible to migrate completely from Checkpoint to Forti100E with forticonverter without issues?
    What is the best way to make this migration successful?
    Does anyone make this migration process? 

    Best Regards.


    Dear brother
    I think that there is no way to get help here for a very specified case.
    This is just convert network setting from one device to another with different types of hardware
    You can compare the configuration structure of both config files , and find away to convert old settings to new , this can help you save time.
    #2
    emnoc
    Expert Member
    • Total Posts : 5748
    • Scores: 373
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: migration from Checkpoint 3000 to Forti100E 2019/12/02 03:21:00 (permalink)
    0
    Yes FConverter would help. You still need to review the policy and especially areas that cover nat and logging.
     
    So yes if you do not want to do it manually, use the migration tool and review the number of elements ( groups, hosts|network, policy,etc...) and make adjustments as required.
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #3
    aluby7
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/02/10 08:44:40
    • Status: offline
    Re: migration from Checkpoint 3000 to Forti100E 2020/02/13 08:57:45 (permalink)
    0
    I'm about to do something similar. If you have completed this already I'd love any information you have about pitfalls or learned lessons you have.
     
    My main thoughts currently are:
    • Convincing the CheckPoint Management Server to start managing remote CheckPoints through a Fortinet Gateway instead of a CheckPoint
    • Making new VPN Communities in the CheckPoint Management server that say to start using the Fortinet as the central gateway in a new PSK based VPN
    • Having both the current CheckPoints and the new Fortinet's  partially online at the same time so the CheckPoint management server can send requests through the CheckPoint gateway to remote gateways to change their configuration and point them to the Fortinet instead
    #4
    emnoc
    Expert Member
    • Total Posts : 5748
    • Scores: 373
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: migration from Checkpoint 3000 to Forti100E 2020/02/13 09:54:22 (permalink)
    0
    That's all good and dandy. You do know this thread is lightyears old 
     
    So are you mainly concern with cpsg gateways at the remote and vpns? If the end-devices are  CPSG and your want to migrate off the central HQ 3000 to let's say a FGTXXXXX, you could build a new vpn-community, apply the gateway address of the FGT and then install that policy to redirect that "spoke" to the new HUB. 
     
    And then disable the old policy at the CHKP  3000 and adjust for any routing thru the new fortigate. I worked a project that was just like the above with walking over vpn-spokes one at a time and it was doable. Afterward we monitor the rule and encryption/decryption details in the eventlogs to ensure that new tunnel was up or use vpn tunnelutility.  After you figure out the plan and steps, you could easily migrate  a few per night or during a maintenance window.
     
    Just my 2cts, and god I hate CHKP 
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #5
    Jump to:
    © 2020 APG vNext Commercial Version 5.5