48 1 450KB
WH ITE PAP ER
Migrating to a FortiGate Firewall
FORTINET – MIGRATING TO A FORTIGATE FIREWALL
PAGE 2
Introduction There is often a reluctance to change firewall vendors due to the perception that the migration process is difficult. Indeed, there is no point hiding the fact that moving to a new vendor requires careful consideration. But concern over the potential pain of migration should not stand in the way of adopting new security technologies. The purpose of this document is to describe the best practices for performing such migrations, the benefits a migration process can achieve, and ultimately to ease the migration process itself. When faced with migrating to a new firewall vendor, the person who signs off the security budget may consider simply renewing the existing solution the safer route (from a career perspective). The drawback of such a decision is being stuck with a vendor who has a lack of vision and has failed to innovate to stay abreast of changes to the networking environment and threat landscape. Whether it is a lack of new features in the hardware (such as line-rate firewall throughput or very low latency) or software (such as application control, data loss prevention and WAN optimization), staying with a legacy firewall has its costs. These costs include increased deployment and configuration challenges, management difficulties, and the need to complement the solution with additional point products. The additional functionality and performance a FortiGate solution provides is a strong driver to justify the migration effort. Its per-device pricing means that you will be able to additional functionality, such as antivirus/antispyware, application control, web filtering, intrusion prevention, antispam, WAN optimization, or IPSec and SSL VPN, at a similar or lower renewal cost to your existing firewall-only vendor.
Firewall Migration Drivers Many organizations have found themselves with several costly and difficult to manage point security solutions due to an ongoing reactive response to security issues. The additional cost and management overhead of these solutions and a worldwide tightening of IT budgets has created an ideal opportunity for an end-to-end reconsideration of security architecture and spend. Many organizations are moving to Fortinet in order to: • Consolidate multiple security functions without compromising functionality • Reduce total cost of ownership (TCO) • Achieve compliance with security standards (PCI, SOX, etc.) • Improve performance • Increase visibility of the network, users and applications The task of changing your firewall to a Fortinet integrated, multi-threat security platform may initially seem a difficult one. However, the cost-reduction benefits alone achieved by the migration will quickly outweigh the effort needed. Capital cost reduction Deploying a defense-in-depth security strategy using stand-alone technologies requires you to invest in additional devices any time you wish to add a new layer of protection. Eliminating multiple security devices by adopting a consolidated approach to network and content security enables you to add functionality without adding capital expenses. However, consolidation of security functions onto a single appliance can be a risk unless the solution supports high availability and includes hardware acceleration. Only hardware acceleration delivers the necessary increase in performance to justify a significant reduction in hardware costs. Adding a single high availability unit increases resilience and availability during the consolidation process (as opposed to adding several redundant units with standalone security deployments). Operating cost reduction A consolidated architecture such as FortiGate allows the management of multiple security functions from a single management interface and centralizes logging and reporting. This reduces the number of products an administrator needs to learn and monitor. The benefits of consolidation and hardware acceleration for the data center are often overlooked when calculating the ROI for such a migration. Consolidating multiple security technologies onto a single appliance results in significant
FORTINET – MIGRATING TO A FORTIGATE FIREWALL
PAGE 3
reductions in rack space, power, and cooling requirements. Reducing the amount of space and power consumed is of critical importance in any data enter. Fortinet can take the consolidation one further step by consolidating multiple devices into a single appliance via the use of Virtual Domains (VDOMs). FortiGate VDOM technology allows multiple logical firewalls to be run on a single physical device, reducing the firewall footprint even further. Feature Rich Security The features and benefits of a FortiGate solution are described in detail at www.fortinet.com, but Figure 1 below shows the wide range of security and networking technologies that are integrated into the FortiGate platform:
Figure 1: FortiGate Real-Time Protection
When considering a Fortinet solution, you may currently have requirements for only one or two of the features described above. However, there may be an opportunity at a later date to consolidate additional functionality (or add security services not currently provided with your existing infrastructure) in order to realize additional cost savings. The Fortinet solution is infinitely flexible; the remaining features are available at any time should you need to switch them on to help resolve an immediate need, increasing the future ROI significantly. Threat evolution Security is a dynamic industry and new threats are developing and evolving constantly. The best defense against such a dynamic threat is a dynamic threat prevention system. Consider the botnet, the scourge of the security industry and source of most spam and denial of service attacks. Fortinet protect against such activity via multiple layers of complimentary security: • Antivirus: Prevents infections that lead to the install of the botnet software • Antispam: Prevents the resulting spam from the botnets (primary source of spam) • Application Control: Detects and blocks botnet activity on the network • Intrusion Prevention: Prevents dial home, propagation activity and known exploits • Web Filtering: Blocks access to known malware and drive-by download sites The FortiGate solution, together with the FortiAnalyzer logging and reporting system provides deep visibility into the security and activity on network. Together these facilities can be used to enable compliance with key standard such as PCI, SOX, and Data Protection. As the standards have evolved, so too have Fortinet solutions to provide deeper visibility and greater reporting capabilities to help adhere to these standards.
FORTINET – MIGRATING TO A FORTIGATE FIREWALL
PAGE 4
Documentation and Training One of the biggest hurdles faced in migrating from your existing firewall vendor will be the loss of knowledge built up over time with your current vendor. Unfortunately this will often be the wrong type of experience, gained by many hours of debugging issues and scouring the internet for help. Fortinet is different from most vendors, and rather than hide information away behind logins requiring support contracts, much of our information is freely available to help convince you that the migration task is not as daunting as it may have first appeared. Product Documentation Fortinet release all product documentation via http://docs.fortinet.com/ . This site includes the product manuals and release notes as well as other documents, including those listed below. These change with each release and are aimed at making configuration of the device and the individual features as simple as possible. • • • • •
What’s New Guide Quick start Guide VPN (IPSec and SSL) install Guides Authentication Guide WAN Optimization and Caching Guide
Knowledge Base For the more technical questions and tips and tricks there is the Fortinet Knowledge Base http://kb.fortinet.com/. This is a system maintained by the Fortinet Support TAC and contains details of the most common issues and how to resolve them and information such as interoperability guides (how to VPN to a Cisco PIX). There is also a link to the FortiTips site, containing short videos describing everything from how to cable the FortiGate, how to configure the external interface and how to back the system up through to the more complicated configuration of the IPS and using Identity Based Policies. Training Fortinet offer many levels of product training for the varying levels of requirements. There are the simple FortiTips described above as well as a host of free self-paced training videos to be found on the Fortinet Campus (http://campus.training.fortinet.com/) These include more detailed courses such as FortiGate 101, Introduction to Cryptography and IPSec Debugging. They are free of charge and can be accessed at your leisure. Should you have a requirement for more formal, complete, classroom style training, there are several courses and exams which can be sat to achieve your FCNSA and FCNSP qualifications. These courses are run both in house and via our Authorized Training Centers across the globe, details of which can be found via http://campus.training.fortinet.com/.
FORTINET – MIGRATING TO A FORTIGATE FIREWALL
PAGE 5
Planning for a Successful Firewall Migration
The success to any project, particularly firewall migration is planning. A common methodology used in such projects is the Plan Do Check Act cycle 1, illustrated by Figure 2. It is an iterative cycle so multiple passes can be made: Plan
Audit network Review the existing policy Develop test plan Do Migrate the policy to the new hardware Check Validate the policy Act Make necessary changes following validation
Plan
Schedule migration dates and test windows Develop migration and test plan
Figure 2 - Plan Do Check Act Cycle. Image Source Karn G. Bulsuk (http://karnbulsuk.blogspot.com )
Develop acceptance test Do
Go live
Check Test and validate Perform acceptance testing Act
Make necessary changes following testing and validation
Following such a structured methodology is useful to minimize disruption to the network users and reduce risk. Some of the common steps in this cycle are described in more detail below. Information Gathering It is always a good idea to perform a full network audit prior to any migration. This should include: • Full back up of all security systems (including switches, routers) in case a back-out needs to be performed. • Physical and logical network diagram with visual audit Understanding exactly where cables run in the network and verifying they are all correctly labeled is essential to avoid mistakes and unnecessary downtime during the upgrade. Don’t overlook simple things such as: •
Do I have enough spare interfaces on my switches?
•
Do I have the right fiber (single/multi mode) and right connectors (LC, FC, MTRJ, SC, ST)?
•
Do I have spare cables? (in the heat of the moment, it is simple mistake to break an RJ-45 connector or damage a fiber)
•
Do I have space in the rack for the new equipment?
•
Do I have enough power sockets?
No matter how securely a FortiGate is configured in the network, it cannot help if it has been bypassed; visually checking where the device sits in the network in relation to other devices will ensure you are maintaining security and verify the network diagram is ‘as built’. Details of all networks including subnet masks should be documented at this point to ensure that the replacement device is configured with the correct information.
1 http://en.wikipedia.org/wiki/PDCA
FORTINET – MIGRATING TO A FORTIGATE FIREWALL
PAGE 6
Configuration Analysis Given the fact that you are going to the effort to migrate the firewall policy, it would be pointless to migrate it verbatim. It is a perfect time to verify that the policy adheres to the corporate standard and that temporary rules have not been accidentally left in place and additional permissions given to users are not being misused. Over time, the live configuration tends to creep away from the security policy so check the existing firewall rules and functions to see what is out of conformance and needs removing, what is superfluous, and what needs to be added. FortiGate firewalls support transparent user based authentication with Active Directory so you can remove all of those static IP addresses that have been created for individual users and move to a more dynamic, location independent method of filtering to reduce the risk of incorrectly applied policy. Object and Policy Migration Whilst we have suggested some level of manual review is included in the policy migration, it can be useful to be able to automatically migrate simply between another vendor’s format and the FortiGate format. The FortiGate policy format is text based and can easily be cut and pasted into from other vendor formats however, responding to the high customer demand to migrate away from other vendors, Fortinet have released an automatic configuration migration tool at https://convert.fortinet.com/ to simplify this process. Supporting Cisco ACLs, PIX, ASA, Check Point and Juniper, the Converter can securely upload and convert the policy into the Fortinet format.
Figure 3: FortiConverter - Firewall policy migration tool
Testing and Validation This is an important process and should be tested offline first wherever possible i.e. configure the policy in the lab or on a test network and verify that the required access permissions are being implemented. To really test the solution out, the FortiGate can be implemented on the live network with a different gateway IP and the selected user pointed to the new gateway. This allows a staged approach to migrating the new platform into the network ensuring that the process does not interrupt day to day operations.
FORTINET – MIGRATING TO A FORTIGATE FIREWALL
PAGE 7
Go live and feedback If testing and validation is successful at this point, you can migrate to the new firewall either by switching IP's and removing the old devices or by changing the default gateway in DHCP. Once the firewall is in place, acceptance testing will of course need to be carried out and an iterative process of tuning undertaken to finalize the configuration. Adding new services The Fortinet solution will have a plethora of additional features compared to your previous vendor and it is very tempting to start switching them on but it is a good idea to wait and validate the new firewall as was previously configured before adding new functions as this simplifies testing and problem diagnosis. Finally complete the migration (don’t’ forget about the Plan Do Check Act Cycle) by adding any new services that were requested and learn about the multiple features you have available with the FortiGate appliance.
Conclusion
Migrating firewall vendors is a daunting task which some rely on to maintain their customer base. Knowing this, Fortinet have provided a complete toolset to aid the migration to Fortinet, from free self paced training to rule set conversion utilities. The Fortinet solution is so feature rich that migrating away from your existing vendor makes both technical and commercial sense, and with careful planning and help along the way from Fortinet, it needn’t prevent you from making the leap. Tradein incentive programs are available from Fortinet to further help the process so contact your Fortinet account manager today to see just how much you can benefit from a Fortinet solution.
WP-FW-UPGRADE-R1-201008