/blog/f5-to-fortiweb-migration-plan-2026
Migrating from F5 Advanced WAF to FortiWeb — a realistic plan
F5 BIG-IP Advanced WAF has been the incumbent in Indian banking, brokerages, telcos for over a decade. It's a capable product. It's also expensive at renewal — many customers report 30-60% hikes on 2024-26 cycles — and operationally complex enough that the migration question keeps coming up. This is the migration playbook: 17-26 weeks, three phases, with the realistic handling of iRules, BIG-IP LTM coexistence, and contract-overlap economics.
17-26 wk
Total migration
For a typical 20-app Indian enterprise F5 estate. 3 phases.
3 phases
Plan structure
Phase 1 audit, Phase 2 parallel + cutover, Phase 3 decommission.
~50%
3-yr cost saving
FortiWeb 3-yr term vs F5 renewal trajectory (illustrative).
~70-80%
iRules → native
FortiWeb handles natively. Only ~5-10% needs custom reimplementation.
Phase 1 — Audit + planning (weeks 1-6)
Week 1 — F5 estate inventory
List all BIG-IP units (HW model, software version, modules: ASM/Advanced WAF, LTM, APM, Bot Defense). Catalogue all apps protected, all virtual servers, all iRules.
Week 2 — iRule + policy triage
Each iRule classified into: (a) FortiWeb-native pattern, (b) policy-translatable, (c) genuinely custom logic. Same for ASM / Advanced WAF policies — most translate directly; some need rewriting.
Week 3 — FortiWeb shape selection per app
For each app: HW or VM-S or FortiAppSec Cloud. Often hybrid — public-facing apps to FortiAppSec, internal cloud-native to VM-S BYOL, DC to HW.
Week 4 — Sizing + INR quote
FortiWeb sizing across the estate. INR + GST quote. Multi-year term modelled. Compared to F5 renewal trajectory (Year 1 baseline + renewal hike compounding).
Week 5 — Migration plan + timeline
Per-app migration order (low-risk first). Cutover windows mapped to business calendar. Rollback paths documented per app.
Week 6 — Stakeholder sign-off
Network architect, app team leads, security team, compliance, finance. Multi-year FortiWeb term locks the rate against future F5 renewal hikes.
Phase 2 — Parallel run + cutover (weeks 7-22)
Week 7-8 — FortiWeb deploy + integration
FortiWeb deployed in chosen shapes. Integration with FortiManager, FortiAnalyzer, SIEM. Both F5 + FortiWeb active; F5 enforcing, FortiWeb in monitor.
Week 9-10 — Policy translation
F5 policies exported. FortiWeb policies built — automated where possible (ASM rule conversion), manual for iRules. ML Continuous Learning starts building behavioural baseline.
Week 11 — First app cutover
Lowest-risk app picked. Traffic flips: F5 → FortiWeb. F5 stays in passive monitor mode. Watch 1 week. Rollback ready.
Week 12-18 — App-by-app cutover
2-3 apps per week. External non-card first; card-payment last. 7-day close watch per app. Rollback per app if false-positive rate exceeds tolerance.
Week 19-22 — Final cohort
Card-payment, login, high-risk endpoints. One per week. Client-Side Protection engaged for PCI 4.0 endpoints (FortiWeb Enterprise tier).
Phase 3 — F5 decommission (weeks 23-26)
Week 23 — F5 passive monitor (90-day safety)
All apps migrated. F5 kept in passive monitor for 90 days for rollback safety. No traffic flowing through F5 enforcement.
Week 24 — F5 contract decision
If contract renewal due: cancel (saves the renewal hike). If mid-contract: hold to end of term to recover prepaid value.
Week 25 — BIG-IP LTM disposition
If F5 was also LB, FortiADC takes over (separate engagement). Or LB stays with F5 in pure-LB mode (lower licence cost than Advanced WAF tier).
Week 26 — Final decommission
F5 hardware powered down. Configurations archived. Migration declared complete.
The iRule reality
| iRule category | Typical % of iRules | FortiWeb mapping |
|---|---|---|
| Header manipulation | 20-25% | FortiWeb policy (native) |
| URL rewrite / routing | 20-25% | FortiWeb policy (native) |
| Content routing by header / IP | 10-15% | FortiWeb content-routing policy (native) |
| Custom response generation | 10-15% | FortiWeb custom error page |
| Rate limiting / threshold | 5-10% | FortiWeb threshold policy + Bot Protection |
| Custom auth / token handling | 5-10% | FortiWeb policy + REST API integration |
| Genuinely custom logic | 5-10% | Manual reimplementation; possibly FortiADC for non-WAF logic |
Distribution varies by deployment age and team. Older / larger F5 estates often skew higher on custom logic. Phase 1 audit produces the actual count per customer.
3-year cost trajectory (illustrative)
| Year | F5 stay path | FortiWeb migrate path | Net difference |
|---|---|---|---|
| Year 1 (overlap) | ~₹X (baseline F5 renewal) | ~₹0.8X (F5 partial + FortiWeb) | ~₹0.2X saved |
| Year 2 | ~₹1.4X (F5 hike applied) | ~₹0.55X (FortiWeb 3-yr term) | ~₹0.85X saved |
| Year 3 | ~₹1.6X (compounding) | ~₹0.55X (term-locked) | ~₹1.05X saved |
| 3-year total | ~₹4X | ~₹1.9X | ~₹2.1X saved (~52%) |
Illustrative ratios reflecting Indian enterprise F5 renewal-hike trajectory in 2024-26. Specific numbers depend on F5 contract structure and FortiWeb shape selection. Ogma builds the actual numbers as part of Phase 1.
FAQ
What about iRules — can they be translated automatically?
Can F5 service contracts be cancelled early?
Will F5 support help during migration?
How do we handle apps with deep iRule dependencies?
Can we run both during migration without traffic doubling?
What's the typical TCO over migration period?
What about F5 BIG-IP LTM (load balancing) — does FortiWeb replace it too?
What's the post-migration handover look like?
Free F5 → FortiWeb migration assessment
Phase 1 audit + 3-year cost projection — your specific F5 estate
Ogma's Phase 1 engagement audits your F5 deployment (models, iRules, ASM policies, BIG-IP LTM scope) and returns a sized migration plan + 3-year FortiWeb-vs-F5-stay cost comparison. 7 working days.
Request the audit or read the FortiWeb vs F5 comparisonRelated: FortiWeb vs F5 comparison · 30-60-90 deployment playbook · FortiWeb Implementation
Stay ahead of cyber threats
One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.