UK’s trusted IT infrastructure partner since 2003
sales@servnetuk.com
0800 987 4111
Servnet
ConfiguratorGet in Touch
Network migration
From
Cisco ASA
To
Fortinet FortiGate

Cisco ASA to FortiGate migration — UK enterprise programme

Cisco ASA reaches end-of-sale and most UK enterprises now treat the refresh as a forcing function to evaluate alternatives. FortiGate is the most-shortlisted destination — best throughput per pound, native SD-WAN + ZTNA + SASE included, single-pane management via FortiManager. Servnet runs end-to-end ASA → FortiGate migrations including rule conversion, parallel running and per-site cutover.

Vendor migration programme — Cisco ASA source on the left, Fortinet FortiGate target on the right, with parallel-running data streams converging through a central Servnet cutover hub.
From → To: Cisco ASA vs Fortinet FortiGate
CURRENTCisco ASAProduction workloadsLegacy management planeRenewal due / EoSServnetparallel-running migrationTARGETFortinet FortiGateProduction workloadsModern management planeStrategic 5-yr position
Typical outcomes

What good looks like after a Cisco ASAFortinet FortiGate migration

Throughput uplift
×3-5

Typical FortiGate replacing an ASA at similar £-band — sized for current + future load.

Per-site cutover
30-60 min

Single firewall site cutover with rule conversion + validation.

5-yr TCO vs Firepower
−35%

Typical TCO advantage for FortiGate vs equivalent Cisco Firepower throughput class.

Migration window
8-14 wk

End-to-end for a 10-30 site estate.

The why

Why UK organisations migrate from Cisco ASA to Fortinet FortiGate

  • ASA reached EoS — Firepower or alternative refresh required
  • FortiGate ships SD-WAN + ZTNA + SSL inspection native — no add-on licences
  • Best throughput per £ in UK NGFW market (typically 30-40% lower TCO vs Firepower at equivalent throughput)
  • Single-pane FortiManager across firewalls + switches + Wi-Fi + SD-WAN
  • Modern OS (FortiOS) with regular feature releases — vs ASA's feature-frozen final code
  • UK engineer pool is the largest of any vendor — easier to hire + contract
How we run it

Migration phasing — typical Cisco ASAFortinet FortiGate programme

Cisco ASA → Fortinet FortiGate — programme timeline
W0W2W4W6W8W10W12W14Discovery + rule extraction3wFortiGate platform build3wPilot site cutover (1-3 sites)2wPhased site cutover5wASA decommission1wTotal programme: 14 weeks · parallel running throughout
  1. 1

    Discovery + rule extraction

    Weeks 1-3

    ASA config extraction; FortiConverter or manual rule analysis; FortiGate sizing per site; FortiManager + FortiAnalyzer architecture; SD-WAN overlay design (if applicable).

  2. 2

    FortiGate platform build

    Weeks 4-6

    Hardware delivery; FortiManager + FortiAnalyzer deployment; central policy templates; SD-WAN overlay; certificate + identity integration.

  3. 3

    Pilot site cutover (1-3 sites)

    Weeks 7-8

    Non-critical sites cutover first with on-site engineer; rollback rehearsal; performance + functional validation; user acceptance.

  4. 4

    Phased site cutover

    Weeks 9-13

    Remaining sites cutover in waves (typical 3-5 sites per weekend); rollback option preserved for 24h post-cutover; ITSM tracked.

  5. 5

    ASA decommission

    Week 14

    Final sites cutover; ASA hardware decommissioned via WEEE-compliant routes; FortiManager + FortiAnalyzer operational handover.

Included in scope

What Servnet delivers in a Cisco ASAFortinet FortiGate migration

FortiConverter rule conversion

Free Fortinet tooling — we run + validate + remediate the converted ruleset before any cutover.

Hardware procurement

<a href="/fortinet/products">FortiGate models</a> sized per site — quoted at vendor-direct pricing.

Central FortiManager + FortiAnalyzer

Single-pane management + logging + reporting across the entire fleet.

SD-WAN overlay (optional)

Native FortiGate SD-WAN at no licence uplift — included if you're consolidating MPLS + broadband + LTE at branch.

Per-site cutover runbook

Each site gets a runbook with cutover steps, rollback triggers, validation tests, comms script.

Post-migration support

90-day hypercare; optional ongoing managed FortiGate service.

De-risking the cutover

Top risks + how we mitigate them

⚠️ ASA rules accumulated complexity over 10+ years
Rule analysis phase catalogues every rule + hit-count; unused / redundant / shadowed rules removed before conversion. Typical result: 30-50% rule-set reduction with no functional impact.
⚠️ Tooling integrations to ASA syslog / SNMP
FortiAnalyzer covers most SIEM use cases natively; for specific integrations (e.g. legacy SIEM that only knows ASA syslog format), we maintain a syslog forwarder during transition + replace the integration on the new platform.
⚠️ Internal team trained only on ASA / IOS CLI
FortiGate training included; FortiOS GUI + CLI are well-documented; 90-day hypercare. Most ASA admins are productive on FortiGate within 2-3 weeks.
⚠️ Cutover impacts production during weekday hours
Cutovers scheduled for change windows (weekend / overnight); pre-cutover dry-runs in staging; rollback option preserved for 24h post-cutover.
Pricing guide rail

Indicative: ASA → FortiGate migrations for a 10-30 site estate typically run £25k-£65k professional services (excluding FortiGate hardware + licences). Total programme cost (hardware + licences + services) typically 30-45% below equivalent Firepower refresh at year-3 break-even — and capability is meaningfully wider (SD-WAN, ZTNA, SASE native). Talk to us for a sized commercial proposal.

Frequently asked

FAQs — Cisco ASAFortinet FortiGate

Should we go to FortiGate or Cisco Firepower?

Honest answer: it depends on your existing stack. If the rest of your network + management estate is Cisco-led, Firepower keeps the single-pane discipline. If you're cost-sensitive or want the SD-WAN + ZTNA bundling, FortiGate is the typical winner. Our full migration playbook covers the decision framework.

What about our existing AnyConnect / VPN clients?

FortiGate ships FortiClient for SSL VPN + ZTNA. Most enterprises take the ASA migration as the opportunity to also migrate from flat VPN to ZTNA.

Can we do this without weekend outages?

Single-firewall sites need a brief change window (30-60 min typical). For HA pairs with seamless failover, we cutover one chassis at a time with no production impact. Multi-site estates run cutover waves over consecutive weekends.

How does this compare to Palo Alto?

Palo Alto is a premium tier — best for security-first, regulated environments where price is secondary to security depth. FortiGate is the cost-effective default for UK mid-market. Our 2026 firewall buyer's guide covers the full compare.

Go deeper

Ready to scope your Cisco ASAFortinet FortiGate migration?

30-minute discovery call with an engineer who's run this migration before. Honest scoping, no sales script.

Book a scoping call →