📝 PREVIEW This post is not yet public. It will go live on Wed 22 Jul 2026, 09:00 IST. Public URL: /blog/f5-to-fortiweb-migration-plan-2026

Migrating from F5 Advanced WAF to FortiWeb — a realistic plan

Pawan Sharma Published 22 Jul 2026  ·  By Pawan Sharma  ·  Network Security  ·  13 min read

F5 BIG-IP Advanced WAF has been the incumbent in Indian banking, brokerages, telcos for over a decade. It's a capable product. It's also expensive at renewal — many customers report 30-60% hikes on 2024-26 cycles — and operationally complex enough that the migration question keeps coming up. This is the migration playbook: 17-26 weeks, three phases, with the realistic handling of iRules, BIG-IP LTM coexistence, and contract-overlap economics.

17-26 wk

Total migration

For a typical 20-app Indian enterprise F5 estate. 3 phases.

3 phases

Plan structure

Phase 1 audit, Phase 2 parallel + cutover, Phase 3 decommission.

~50%

3-yr cost saving

FortiWeb 3-yr term vs F5 renewal trajectory (illustrative).

~70-80%

iRules → native

FortiWeb handles natively. Only ~5-10% needs custom reimplementation.

Phase 1 — Audit + planning (weeks 1-6)

1

Week 1 — F5 estate inventory

List all BIG-IP units (HW model, software version, modules: ASM/Advanced WAF, LTM, APM, Bot Defense). Catalogue all apps protected, all virtual servers, all iRules.

2

Week 2 — iRule + policy triage

Each iRule classified into: (a) FortiWeb-native pattern, (b) policy-translatable, (c) genuinely custom logic. Same for ASM / Advanced WAF policies — most translate directly; some need rewriting.

3

Week 3 — FortiWeb shape selection per app

For each app: HW or VM-S or FortiAppSec Cloud. Often hybrid — public-facing apps to FortiAppSec, internal cloud-native to VM-S BYOL, DC to HW.

4

Week 4 — Sizing + INR quote

FortiWeb sizing across the estate. INR + GST quote. Multi-year term modelled. Compared to F5 renewal trajectory (Year 1 baseline + renewal hike compounding).

5

Week 5 — Migration plan + timeline

Per-app migration order (low-risk first). Cutover windows mapped to business calendar. Rollback paths documented per app.

6

Week 6 — Stakeholder sign-off

Network architect, app team leads, security team, compliance, finance. Multi-year FortiWeb term locks the rate against future F5 renewal hikes.

Phase 2 — Parallel run + cutover (weeks 7-22)

1

Week 7-8 — FortiWeb deploy + integration

FortiWeb deployed in chosen shapes. Integration with FortiManager, FortiAnalyzer, SIEM. Both F5 + FortiWeb active; F5 enforcing, FortiWeb in monitor.

2

Week 9-10 — Policy translation

F5 policies exported. FortiWeb policies built — automated where possible (ASM rule conversion), manual for iRules. ML Continuous Learning starts building behavioural baseline.

3

Week 11 — First app cutover

Lowest-risk app picked. Traffic flips: F5 → FortiWeb. F5 stays in passive monitor mode. Watch 1 week. Rollback ready.

4

Week 12-18 — App-by-app cutover

2-3 apps per week. External non-card first; card-payment last. 7-day close watch per app. Rollback per app if false-positive rate exceeds tolerance.

5

Week 19-22 — Final cohort

Card-payment, login, high-risk endpoints. One per week. Client-Side Protection engaged for PCI 4.0 endpoints (FortiWeb Enterprise tier).

Phase 3 — F5 decommission (weeks 23-26)

1

Week 23 — F5 passive monitor (90-day safety)

All apps migrated. F5 kept in passive monitor for 90 days for rollback safety. No traffic flowing through F5 enforcement.

2

Week 24 — F5 contract decision

If contract renewal due: cancel (saves the renewal hike). If mid-contract: hold to end of term to recover prepaid value.

3

Week 25 — BIG-IP LTM disposition

If F5 was also LB, FortiADC takes over (separate engagement). Or LB stays with F5 in pure-LB mode (lower licence cost than Advanced WAF tier).

4

Week 26 — Final decommission

F5 hardware powered down. Configurations archived. Migration declared complete.

The iRule reality

iRule categoryTypical % of iRulesFortiWeb mapping
Header manipulation20-25%FortiWeb policy (native)
URL rewrite / routing20-25%FortiWeb policy (native)
Content routing by header / IP10-15%FortiWeb content-routing policy (native)
Custom response generation10-15%FortiWeb custom error page
Rate limiting / threshold5-10%FortiWeb threshold policy + Bot Protection
Custom auth / token handling5-10%FortiWeb policy + REST API integration
Genuinely custom logic5-10%Manual reimplementation; possibly FortiADC for non-WAF logic

Distribution varies by deployment age and team. Older / larger F5 estates often skew higher on custom logic. Phase 1 audit produces the actual count per customer.

3-year cost trajectory (illustrative)

YearF5 stay pathFortiWeb migrate pathNet difference
Year 1 (overlap)~₹X (baseline F5 renewal)~₹0.8X (F5 partial + FortiWeb)~₹0.2X saved
Year 2~₹1.4X (F5 hike applied)~₹0.55X (FortiWeb 3-yr term)~₹0.85X saved
Year 3~₹1.6X (compounding)~₹0.55X (term-locked)~₹1.05X saved
3-year total~₹4X~₹1.9X~₹2.1X saved (~52%)

Illustrative ratios reflecting Indian enterprise F5 renewal-hike trajectory in 2024-26. Specific numbers depend on F5 contract structure and FortiWeb shape selection. Ogma builds the actual numbers as part of Phase 1.

FAQ

What about iRules — can they be translated automatically?
Not automatically. iRule TCL scripting doesn't have a direct FortiWeb equivalent. Manual translation is the work — but most production iRules cover patterns FortiWeb handles natively (header rewrite, URL rewrite, content routing). Only complex custom logic needs reimagination.
Can F5 service contracts be cancelled early?
Mid-contract cancellation typically forfeits prepaid term. Standard practice: schedule migration to complete just before contract renewal, then cancel renewal (avoids the renewal hike + recovers nothing prepaid).
Will F5 support help during migration?
Yes — your existing F5 service contract continues until expiry regardless of migration plans. F5 isn't going to terminate support because you're considering replacement; it's a normal customer cycle.
How do we handle apps with deep iRule dependencies?
Triage iRules at Phase 1 audit. Three categories: (1) patterns FortiWeb handles natively (~70-80% typically), (2) policy-translatable with effort (~15-25%), (3) genuinely custom logic that needs reimplementation (~5-10%). Phase 1 estimates effort; multi-quarter migration if category 3 is large.
Can we run both during migration without traffic doubling?
Yes — F5 as primary inspecting + enforcing, FortiWeb in passive monitor mode behind. Single inspection path; FortiWeb sees the traffic that F5 forwards. No double-billing.
What's the typical TCO over migration period?
Year 1 (overlap): F5 prepaid + FortiWeb new licence. Year 2: F5 winddown + full FortiWeb. Year 3: full FortiWeb at typically 50-70% of Year-1 F5 baseline. Most customers break even on the overlap by month 18-24.
What about F5 BIG-IP LTM (load balancing) — does FortiWeb replace it too?
FortiWeb has built-in load balancing for the WAF use case. For sophisticated L4-7 LB across non-WAF workloads, FortiADC is Fortinet's BIG-IP LTM equivalent — separate product, paired in many F5 migrations.
What's the post-migration handover look like?
FortiManager / FortiAnalyzer integration completed in Phase 2. Operations team trained in Phase 3. Quarterly review cadence established. F5 hardware decommissioned 90 days post-cutover to retain rollback safety net.

Free F5 → FortiWeb migration assessment

Phase 1 audit + 3-year cost projection — your specific F5 estate

Ogma's Phase 1 engagement audits your F5 deployment (models, iRules, ASM policies, BIG-IP LTM scope) and returns a sized migration plan + 3-year FortiWeb-vs-F5-stay cost comparison. 7 working days.

Request the audit or read the FortiWeb vs F5 comparison

Related: FortiWeb vs F5 comparison · 30-60-90 deployment playbook · FortiWeb Implementation

Stay ahead of cyber threats

One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.


Cato Firewall as a Service
Cato ZTNA — Zero Trust Network Access
Cato SASE Solution