HA Cluster Specialists Cisco ASA · Palo Alto · Check Point Migration

FortiGate HA Deployment &
Firewall Migration Services

Complex FortiGate projects need specialist expertise. Ogma deploys high-availability clusters, multi-site FortiManager environments, and migrates rule bases from legacy firewalls — with zero data loss and tested failover before cutover.

View Services
50+
HA cluster deployments completed
2–3 Weeks
Typical complex multi-site timeline
3 Vendors
Cisco, Palo Alto, Check Point migrated
0 Missed SLAs
On every HA failover test delivered

Deployment Services

Specialist FortiGate projects handled end-to-end.

Active-Passive HA Cluster

Two FortiGate units in FGCP HA active-passive mode — stateful failover in under 1 second. Includes heartbeat link configuration, session sync, management IP reservation, and documented failover testing.

Competitive · fixed-scope project pricing
Active-Active HA Cluster

Load-balanced HA for high-throughput environments. FGCP active-active with session pickup, asymmetric routing mitigation, virtual cluster configuration, and load-balancing algorithm tuning.

Competitive · fixed-scope project pricing
Multi-Site FortiManager Deployment

FortiManager setup for centralised management of 5–500+ FortiGates. ADOM configuration, policy packages, device groups, firmware upgrade scheduling, and admin role RBAC. FortiAnalyzer log integration included.

Competitive · fixed-scope project pricing
Firewall Migration (Cisco / Palo Alto / Check Point)

Full rule-base migration using FortiConverter. Legacy rules analysed, duplicates and shadows removed, objects renamed to Fortinet convention, and policies restructured for best-practice FortiOS model. Cutover in a single maintenance window.

Competitive · fixed-scope project pricing
SD-WAN Multi-Site Deployment

Hub-and-spoke or full-mesh SD-WAN fabric across HQ and branches. Overlay tunnels, application-based routing, SLA probes for Microsoft 365/SAP/Zoom, and bandwidth reporting via FortiAnalyzer or FortiManager.

Competitive · fixed-scope project pricing
FortiGate-VM Cloud Deployment

FortiGate-VM on AWS, Azure, or GCP — single instance or GWLB (Gateway Load Balancer) architecture. Transit VPC/VNet design, IPSec to on-premise, and autoscaling policy group setup.

Competitive · fixed-scope project pricing

Migrating From a Legacy Firewall?

Ogma uses Fortinet's FortiConverter tool to automate rule-base translation, then manually validates every migrated rule before cutover. We don't just convert — we clean.

  • Cisco ASA (8.x, 9.x) — access-lists, NAT, VPN converted
  • Palo Alto PAN-OS — security policies, zones, objects mapped
  • Check Point R77/R80/R81 — rulebase, NAT, groups imported
  • Sophos XG/XGS — firewall rules and VPN exported
  • Legacy FortiGate (5.x/6.x) — upgrade path via staged migration

Average rule reduction after migration clean-up: 30–50% fewer rules, with no loss in security posture.

Migration Project Timeline
Week 1
Rule-base export, FortiConverter analysis, shadow/unused rule identification
Week 2
FortiGate parallel run — traffic mirroring, policy validation in monitor mode
Week 3
Staged cutover — non-critical segments first, then core, then internet edge
Week 4
Decommission old firewall, final hardening, as-built documentation delivered

Frequently Asked Questions

Yes. We test HA failover by gracefully shutting down the primary unit — all sessions are picked up by the secondary within 1 second (for FGCP with session sync enabled). Tests are performed during a short maintenance window, typically 11 PM–1 AM, with rollback capability at every step.

For an HA replacement of a single existing firewall (same site), 1 maintenance window (4–6 hours) is usually sufficient — assuming cabling is pre-staged and configuration is pre-built. Multi-site HA with FortiManager typically runs over 2–3 weeks.

FortiConverter is Fortinet's official migration tool. It converts rule objects (addresses, services, schedules) and policies from source firewall format to FortiOS syntax. Migration accuracy is typically 80–90% automated. The remaining 10–20% (complex NAT rules, policy-based VPNs, custom objects) are handled manually by Ogma engineers during validation.

SSL inspection configuration is FortiGate-specific and cannot be directly migrated from other vendors. Ogma designs SSL inspection policy from scratch based on your requirements — deep inspection for outbound corporate traffic, certificate inspection for trust zones, and bypass lists for banking/healthcare sites.

Yes. For every migration, we maintain a warm standby of the original firewall for a minimum of 48 hours post-cutover. Rollback can be completed in under 15 minutes. We have never needed a full rollback in our last 50+ migration projects.

Yes — Ogma's Managed Firewall Service covers FortiGate rule management, firmware updates, and 24/7 monitoring post-deployment. Many of our installation customers transition to managed service. See our Managed Firewall page for pricing.

Every complex deployment includes: network topology diagram (Visio/draw.io), interface assignment table, route table summary, policy matrix (all rules with description), VPN tunnel inventory, HA configuration record, FortiGuard subscription status report, and a runbook for common operational tasks.

Planning a Complex FortiGate Project?

Tell us your current firewall vendor, number of sites, and target go-live date. We'll provide a detailed scope and fixed-price proposal within 48 hours.