Cisco ASA is end-of-engineering for new features — the product line continues to receive security patches but Cisco directs all new investment to Firepower (Secure Firewall) and Catalyst SD-WAN. UK customers refreshing ASA typically face a fork: stay Cisco (Firepower), or move to Fortinet FortiGate. This is the honest playbook for both paths.
Why migrate now
Cisco ASA hardware EOSL — ASA 5500-X series increasingly past Cisco end-of-support-life. Servnet TPM can extend but the strategic direction is clear.
Feature parity — ASA doesn't support modern features (URL category, application visibility, SSL inspection at scale) that Firepower + FortiGate have as standard.
Modernisation — ZTNA + SD-WAN integration that ASA can't deliver are now standard expectations.
Path 1 — ASA to Firepower (same vendor)
Hardware: Firepower 1010 (branch), Firepower 1140 (mid), Firepower 2130 (campus), Firepower 4110 (DC).
Tools: Cisco Secure Firewall Migration Tool (free) translates ASA config to Firepower Threat Defence (FTD) config. Works for ~80% of ASA features automatically; 20% needs manual review.
Operational continuity: same Cisco TAC, same enterprise agreement, same Cisco DNA Center integration.
Timeline: 6-12 weeks for typical campus environment.
Path 2 — ASA to FortiGate (cross-vendor)
Hardware: FortiGate 60F, 100F, 400F, 1000F, 1800F.
Tools: Fortinet Migration Service (FortiConverter) translates ASA config to FortiGate. Cleaner translation than ASA → Firepower for some constructs.
Commercial: typically 30-50% lower TCO over 5 years vs Firepower equivalent. SD-WAN included in FortiOS (no separate licence).
Timeline: 8-14 weeks because of vendor change (training + management plane).
When to pick which
Existing Cisco-deep estate (Catalyst, ISE, DNA Center, Smart Net everywhere): Firepower. Single-vendor relationship value.
Cost-sensitive + open to vendor change + want SD-WAN convergence: FortiGate. Lower TCO + better SD-WAN.
Mixed estates already running both vendors: pick on lifecycle (refresh whichever is end-of-support first).
Common gotchas
NAT rules — ASA NAT syntax differs significantly from both Firepower + FortiGate. Manual review essential.
VPN — IPSec site-to-site + SSL VPN migrate cleanly. Anyconnect → AnyConnect Secure Mobility Client (Firepower) or FortiClient (FortiGate) requires user-side change.
High-availability — ASA failover groups translate but the syntax differs. Test thoroughly.
Logging + monitoring — ASA syslog → SIEM rules need updating for Firepower / FortiGate event formats.
What Servnet does
Servnet runs both ASA → Firepower + ASA → FortiGate migrations. Vendor-neutral commercial bid first, then customer picks platform, then phased migration with parallel-run.