More and more organizations are considering whether to replace their Fortinet FortiGate firewall with an open-source alternative. Rising licensing costs, limited flexibility, and vendor lock-in are common reasons for making the switch. OPNsense offers a powerful, transparent, and cost-effective alternative.
Why Switch from Fortinet FortiGate?
Rising License and Maintenance Costs
- FortiGuard licenses for IPS, antivirus, web filtering, and application control are paid features
- Annual renewal costs increase with each renewal cycle
- Hardware-bound licenses make it difficult to switch to new devices
- FortiCare support is only available with an active contract
Vendor Lock-In
- Proprietary FortiOS with no access to the source code
- Configuration export only in Fortinet’s proprietary format
- Hardware lock-in through ASIC-based architecture (FortiASIC)
- Limited interoperability with third-party solutions
Complex Licensing Models
- Different bundles (ATP, UTP, Enterprise) make it hard to maintain an overview
- Feature activation only through additional licenses
- VDOM licenses for virtual firewall instances cost extra
Why OPNsense as an Alternative?
No Licensing Costs
- Completely free — no annual fees
- All features available from the start
- No artificial limitations based on model
- Commercial support options through Deciso or partners like DATAZONE
Comparable Feature Set
OPNsense covers the key FortiGate functions:
- Stateful Firewall with a flexible rule set
- VPN — WireGuard, OpenVPN, IPsec (IKEv1/v2)
- IDS/IPS with Suricata (comparable to FortiGuard IPS)
- Web Proxy with URL filtering
- DNS Security with Unbound (DNS-over-TLS/HTTPS)
- Traffic Shaping and QoS
- High Availability with CARP (comparable to FortiGate HA)
- Multi-WAN and policy-based routing
- VLAN Segmentation and network zones
Open Source Code
- Transparency in security updates and bugfixes
- No hidden backdoors or telemetry
- Community-reviewed code
Migration Planning
Step 1: Inventory of the FortiGate Configuration
-
Firewall policies — export and document
- FortiGate uses top-down rule processing (same as OPNsense: first match)
- Record address objects and groups
- Document service objects
-
VPN configuration — back up
- Note IPsec Phase 1/Phase 2 parameters
- Export pre-shared keys and certificates
- Record FortiClient SSL VPN configurations
- Document dial-up and site-to-site tunnels
-
Routing and network
- Document static routes and policy routes
- Record VLAN configuration and zone assignments
- Back up DHCP server settings and reservations
Step 2: Hardware Sizing
- OPNsense runs on standard x86 hardware
- No FortiASIC required — modern CPUs with AES-NI provide sufficient performance
- Sizing depends on throughput, VPN tunnels, and IDS/IPS requirements
- Recommendation: Intel-based systems with at least 4 network interfaces
Step 3: Transfer the Configuration
FortiGate Address Objects → OPNsense Aliases:
- Create individual hosts, subnets, and IP ranges as aliases
- Map address groups as nested aliases
FortiGate Policies → OPNsense Firewall Rules:
- Recreate rules per interface/zone
- Note: OPNsense blocks all traffic by default
- FortiGate “implicit deny” matches the OPNsense default
FortiGate VPN → OPNsense VPN:
- Set up IPsec tunnels with the same Phase 1/2 parameters
- Replace FortiClient SSL VPN with OpenVPN or WireGuard
- Evaluate WireGuard as a high-performance alternative
Step 4: Test Operation and Cutover
- Build OPNsense in parallel with FortiGate
- Validate VPN tunnels in test operation
- Schedule a maintenance window for the switchover
- Keep FortiGate available as a fallback
Comparison: FortiGate vs. OPNsense
| Feature | FortiGate | OPNsense |
|---|---|---|
| Licensing Costs | Yes (annual) | None |
| Firewall | Yes | Yes |
| IDS/IPS | Yes (FortiGuard) | Yes (Suricata) |
| VPN (IPsec) | Yes | Yes |
| VPN (WireGuard) | No | Yes |
| VPN (SSL/OpenVPN) | FortiClient SSL | OpenVPN |
| SD-WAN | Yes (licensed) | Multi-WAN + Policy Routing |
| Web Filter | Yes (licensed) | Yes (Proxy + Blocklists) |
| Antivirus Gateway | Yes (licensed) | ClamAV Plugin |
| High Availability | Yes (Active-Passive/Active) | Yes (CARP) |
| Hardware Requirement | Proprietary (FortiASIC) | Standard x86 |
| API | Yes (REST) | Yes (REST) |
| Open Source | No | Yes |
Tips for a Successful Migration
- Do not migrate everything at once — start with internal segments, then WAN
- Inform VPN partners early — coordinate new IPsec parameters
- Back up FortiAnalyzer logs — for later reference
- Set up OPNsense backups — back up the configuration regularly
- Enable monitoring — monitor firewall logs intensively after the migration
- Keep a rollback plan ready — do not decommission FortiGate until after a successful test phase
Conclusion
Migrating from Fortinet FortiGate to OPNsense is technically well-feasible and economically sound. OPNsense offers a comparable feature set without ongoing licensing costs and benefits from an active community as well as regular updates. As an experienced OPNsense integrator, we support you with the planning and execution of the migration — from inventory assessment to production operation.
More on these topics:
More articles
Backup Strategy for SMBs: Proxmox PBS + TrueNAS as a Reliable Backup Solution
Backup strategy for SMBs with Proxmox PBS and TrueNAS: implement the 3-2-1 rule, PBS as primary backup target, TrueNAS replication as offsite copy, retention policies, and automated restore tests.
OPNsense Suricata Custom Rules: Write and Optimize Your Own IDS/IPS Signatures
Suricata custom rules on OPNsense: rule syntax, custom signatures for internal services, performance tuning, suppress lists, and EVE JSON logging.
Systemd Security: Hardening and Securing Linux Services
Systemd security hardening: unit hardening with ProtectSystem, PrivateTmp, NoNewPrivileges, CapabilityBoundingSet, systemd-analyze security, sandboxing, resource limits, and creating custom timers.