How does ASA ACL logic translate to FortiGate policies?

ASA access-list entries are converted to FortiGate firewall policies with proper source/destination addressing, service objects, and action mapping (permit/deny to accept/deny).

Are Cisco ASA service objects compatible with FortiGate?

ASA service objects and service groups are translated to FortiGate custom services and service groups, preserving TCP/UDP port ranges and protocol specifications.

What about ASA failover configs in the migration?

ASA failover and HA configurations are analyzed and recommendations are provided for equivalent FortiGate HA (active-passive or active-active) setup, though HA requires target-side configuration.

Cisco ASA to Fortinet Migration Tool

Migrating from Cisco ASA to Fortinet? NetConverter's comprehensive multi-step pipeline automates the conversion of ACLs, NAT rules, and object groups to FortiOS policies and VIPs with 95%+ accuracy and confidence scoring.

Start Free Migration Contact Us

Why Cisco ASA → FortiGate Migrations Need Central NAT Awareness

Moving from Cisco ASA 9.x to FortiOS 7.4 is increasingly common as enterprises consolidate on Fortinet's Security Fabric. The biggest semantic decision NetConverter makes upfront: which FortiGate NAT mode to target. ASA's NAT model (object NAT + twice NAT) maps to either FortiGate's per-policy NAT or central NAT — the choice affects every NAT translation downstream. NetConverter defaults to central NAT mode for production migrations because it preserves rule-table separation and matches how most FortiGate deployments operate; you can override per-config via YAML.

The other migration consideration: ASA's nameif/security-level model doesn't have a clean equivalent in FortiGate's interface-zone model. ASA nameif outside security-level 0 maps to a FortiGate interface in role wan with zone wan; inside security-level 100 becomes role lan zone lan. Custom nameifs trigger a zone-inference flag for review. NetConverter's zone-inference KB has 200+ patterns covering common ASA naming conventions (DC-INSIDE, EXT-OUT, MGMT, etc.).

The Challenge of ASA to FortiGate Migration

ACL to Policy Translation

Cisco ASA extended ACLs must be converted to FortiGate's firewall policies with interface-pair based matching.

NAT to VIP Conversion

ASA object NAT and twice NAT rules need to be converted to FortiGate VIP objects and IP pools.

Object-Group Migration

Network objects, service objects, and object-groups must be converted to FortiGate address and service objects.

Security Level Mapping

ASA's interface security levels don't exist in FortiGate - policies must explicitly define srcintf/dstintf.

How NetConverter Solves It

Vendor-Neutral Translation

Our comprehensive multi-step pipeline normalizes configurations to a unified format, enabling accurate translation between any vendor pair.

Intelligent Policy Generation

ACLs are converted to FortiGate policies with proper interface assignments based on security analysis.

Automated VIP Creation

NAT rules are converted to VIP objects with correct external/mapped IP and port configurations.

Complete Object Migration

All network objects, service objects, and groups are converted with naming preserved.

Interface Mapping

Security level based rules are translated to explicit interface-pair policies.

4-Tier Validation System

Every translation undergoes comprehensive validation: syntax correctness, semantic accuracy, vendor best practices compliance, and AI-assisted review.

Confidence Scoring

Each conversion includes a confidence score indicating translation quality, helping you prioritize review efforts and ensuring production readiness.

See Quick Convert Output in Action

Representative Quick Convert run for this migration path, showing the live NetConverter interface and the converted output preview engineers review before deployment.

NetConverter Quick Convert interface with source and converted output panels

Cisco ASA (Source)Start Free Migration

! Address Objects object network APP_SERVER host 10.20.1.100 description Application Server object network APP_SERVER_PUB host 198.51.100.100 ! Custom Service with Port Range object service APP_PORTS service tcp destination range 8080 8089 ! Access Control List access-list DMZ_IN extended permit tcp any object APP_SERVER eq 443 log access-list DMZ_IN extended permit tcp 10.0.0.0 255.0.0.0 object APP_SERVER object APP_PORTS access-list DMZ_IN extended deny ip any any log ! NAT Configuration nat (dmz,outside) source static APP_SERVER APP_SERVER_PUB

Fortinet FortiGate (Target)Start Free Migration

config firewall address edit "APP_SERVER" set subnet 10.20.1.100 255.255.255.255 set comment "Application Server" next end config firewall service custom edit "APP_PORTS" set tcp-portrange 8080-8089 next end config firewall vip edit "APP_SERVER_VIP" set extip 198.51.100.100 set mappedip "10.20.1.100" set extintf "wan1" next end config firewall policy edit 1 set name "Allow-HTTPS-to-App" set srcintf "wan1" set dstintf "dmz" set srcaddr "all" set dstaddr "APP_SERVER_VIP" set action accept set service "HTTPS" set logtraffic all next end

Migration Results

95%+

Accuracy

40x

Faster

<2min

Per Config

For Most

Why Teams Choose This Over FortiConverter-Only Flows

Broader conversion program support

FortiConverter is aligned to Fortinet destination workflows, while NetConverter supports broader migration initiatives and multi-vendor planning.

Validation-first output review

Converted objects and policies are validated before downstream execution so teams can identify risky gaps early.

Reusable process for repeat migrations

Standardize ASA to FortiGate translation runs across many configs without rebuilding the workflow for each project.

Need Custom Development or Complex Migration Support?

For large-scale enterprise migrations, custom protocol requirements, or dedicated engineering support, our team is here to help.

Contact Engineering Start Free Migration

Ready to Migrate?

Convert your Cisco ASA configuration to Fortinet FortiGate in minutes. No credit card required.

Start Free Migration

Frequently Asked Questions

Should I use FortiGate central NAT or per-policy NAT for an ASA migration?

NetConverter defaults to central NAT because it (1) preserves the ASA-style separation between policy and translation, (2) makes audit easier, and (3) is what most production FortiGate deployments use. Per-policy NAT is appropriate for small deployments where every policy has unique NAT requirements. The choice is set via YAML preset and can be flipped without re-running the full pipeline.

How does ASA's interface-based security-level translate to FortiGate?

ASA security-level numbers (0–100) inform the FortiGate interface role and zone assignment via NetConverter's zone-inference patterns. security-level 0 typically maps to role wan, zone wan; security-level 100 maps to role lan, zone lan; intermediate levels (DMZ at 50) map to custom zones. The mapping is reviewable in Conversion Studio before final output.

Can NetConverter handle ASA failover/HA configurations during migration?

ASA failover (active/standby or active/active) doesn't translate to FortiGate HA cluster configuration directly — they're different products with different HA mechanisms. NetConverter migrates the policy/object/NAT/routing layer; FortiGate HA cluster setup (FGCP) is configured separately on the target devices. ASA failover-specific commands are flagged in Manual Steps.

How does ASA NAT exemption (identity NAT) translate to FortiGate?

ASA identity NAT (no-NAT for traffic between specific zones, often used for VPN traffic) becomes either a FortiGate central SNAT entry with nat enable=disable, or a per-policy entry with NAT explicitly disabled. NetConverter chooses based on the central-vs-per-policy mode setting. The Evidence Report shows every NAT exemption with the resulting FortiGate construct.

Does NetConverter handle ASA AnyConnect VPN migration to FortiGate SSL VPN?

VPN configuration is flagged for separate handling because AnyConnect (Cisco) and FortiClient (Fortinet) use different protocols (DTLS vs SSL) and have different authentication infrastructure. NetConverter migrates the policy/object/NAT/routing layer; SSL VPN portal + tunnel + authentication setup is documented in Manual Steps with KB references for the recommended FortiGate SSL VPN configuration patterns.