Fortinet TSA separation is the work of standing up Newco's own FortiGate estate, rebuilding policy in a dedicated FortiManager, repointing logging to a Newco FortiAnalyzer, and provisioning Newco FortiGuard subscriptions before the seller's fabric still inspects or controls Newco traffic. The work sits inside the broader carve-out advisory program and behaves as a Day One control, because the firewall fabric is the boundary every site and application depends on.
Fortinet separation starts with an inventory of the seller fabric. The buyer needs the FortiGate footprint across physical and virtual firewalls, the FortiManager hierarchy with its administrative domains and policy packages, the FortiAnalyzer logging and reporting estate, the FortiGuard subscription scope across IPS, antivirus, web filtering, and application control, and the Security Fabric connections to FortiSwitch, FortiAP, and any FortiClient EMS for endpoints.
The clean end state is a dedicated Newco estate with its own FortiManager, its own FortiAnalyzer, and its own FortiGuard subscriptions. A shared seller fabric keeps Newco traffic and logs under seller management and seller visibility, which is unacceptable beyond a short bridge. The firewall is not a tool Newco can quietly leave on the seller's network, because the seller controls the boundary and sees the traffic.
Target strategy treats the fabric as a Day One readiness item. Newco FortiGates and a baseline policy package stand up before close so that on Day One, Newco sites transit Newco's fabric rather than the seller's. The hardware lead time for physical appliances is the long pole, so the appliance decision is settled early, in step with the network and identity separation.
A clean inventory and a settled estate decision drive the downstream sequence: the FortiManager policy rebuild, the FortiAnalyzer logging cutover, the FortiGuard provisioning, and identity integration. The pattern aligns with the broader carve-out network plan and the Day One security control set.
Fortinet is sold as appliance or VM capacity plus FortiGuard and FortiCare subscriptions tied to each device serial number. The seller agreement does not transfer in a carve-out, and the subscriptions are bound to serials the seller registered. Newco arranges its own FortiCare and FortiGuard entitlements for the devices it retains, sized to its real footprint rather than the seller's combined estate.
A carve-out reads to the vendor as a buyer with a Day One deadline, which is real leverage on the sell side. The buyer offsets that by opening the commercial conversation early, before the deadline removes optionality, and by confirming which devices and subscriptions Newco needs rather than accepting the seller's full scope. Where devices are aging or out of support, the separation is the moment to decide refresh.
Where the seller provides perimeter security through a TSA window, the pricing is cost-plus or fixed-fee with a defined exit ramp, and the TSA states how Newco usage is metered. The seller cannot mark up subscription costs it does not separately incur. Because the fabric is a Day One control, the TSA tail here is usually short and is sequenced ahead of softer services.
Where a partner is engaged for the rebuild, the contract is fixed fee for defined deliverables with disciplined change control. The subscription audit runs through the broader TSA license consolidation work so Newco aligns FortiGuard and FortiCare to its real estate at exit.
The policy is rebuilt rather than copied wholesale. Firewall policy packages, address and service objects, NAT rules, security profiles for IPS, antivirus, web filtering, and application control, and the SSL inspection policy are reconstructed in the Newco FortiManager to match Newco's footprint. The seller policy is a useful reference, but it carries seller specific objects and exceptions that Newco reviews rather than inherits blindly.
SSL inspection deserves dedicated attention because deep inspection depends on the FortiGate certificate being trusted on every endpoint. The Newco certificate is deployed through endpoint management so that inspection works without breaking applications on Day One. The buyer coordinates this with the endpoint separation so the certificate lands before the perimeter cutover.
The FortiManager administrative domains and policy packages are redesigned for Newco. Structures that mirrored the seller's regions are rebuilt around Newco's sites, and the device groups are reconstructed so each FortiGate receives the right package. Where the seller used a single shared domain, Newco's devices are separated into their own management plane.
Allowlists and application overrides are validated against Newco's real application estate so that legitimate traffic is not blocked when sites move behind the Newco fabric. The discipline mirrors the endpoint and identity separation sequence so the controls land together.
Logging and reporting move to a Newco FortiAnalyzer. The FortiGate log forwarding is repointed so Newco's security operations see the traffic, the events, and the reports rather than the seller's. This closes a visibility gap that otherwise persists after cutover, and it gives Newco the audit trail it needs for its own compliance rather than depending on extracts from the seller.
FortiGuard subscriptions are provisioned for Newco's devices so that signature, web filtering, and application control updates flow to the Newco estate. Without Newco's own entitlements the protection lapses, so the subscription provisioning is sequenced to be live before the devices carry production traffic on Day One.
Identity integration binds the policy to Newco's directory. The FortiGates authenticate administrators and map user based policy through the identity provider, and where FortiClient EMS manages endpoints, it is pointed at Newco identity. Administrator access and any user based firewall policy resolve against Newco identity, and the cutover is gated on the identity boundary being live.
Where the seller's fabric integrated with a shared FortiAuthenticator or RADIUS, those dependencies are rebuilt in Newco so that authentication does not reach back across the boundary. The buyer validates that no Newco device still queries a seller authentication service after cutover.
Cutover moves traffic from the seller fabric to the Newco fabric. At Newco sites, the default route and internet breakout are repointed to Newco FortiGates, the log forwarding points at the Newco FortiAnalyzer, and the FortiGuard updates flow from Newco entitlements. The runbook covers the certificate deployment, the policy push, the route change, and the validation gate, staged by site where the network allows it.
Validation confirms continuity. Internet access is tested against business applications, inbound services behind NAT are tested against each published application, SSL inspection is confirmed not to break critical sites, and logging is confirmed to land in the Newco FortiAnalyzer. Because this is a Day One control, the validation is rehearsed on a pilot site before the broad cutover so the first day of standalone operation is not the first test.
Stabilization runs thirty to sixty days. Blocked applications, certificate issues, and routing problems are triaged within agreed service-level commitments. Security profiles are tuned as real Newco traffic patterns emerge, and false positives in IPS and web filtering are resolved against Newco's actual usage.
Decommissioning is explicit. Once Newco operates on its own fabric, the seller removes Newco devices, objects, and policy from its FortiManager, stops receiving Newco logs in its FortiAnalyzer, and confirms that Newco traffic no longer traverses the seller's firewalls or appears in the seller's reporting.
Fortinet separation cost is driven by appliance and VM capacity, the FortiGuard and FortiCare subscriptions Newco buys, the FortiAnalyzer sizing, and the rebuild effort across policy and logging. The discipline is to right size the estate to Newco's real footprint and to subscribe to the protection Newco needs rather than copying the seller's full scope. A fabric sized for the combined organization is a recurring cost the separation should correct.
The common failure mode is treating the firewall as a later exit rather than a Day One control. If Newco sites still transit the seller fabric after close, the seller has visibility into Newco traffic and the ability to cut access. Buyers that stand up the Newco estate and baseline policy before Day One avoid both the exposure and the operational risk of a sudden access loss.
The second failure mode is the SSL inspection certificate and the FortiGuard provisioning. A cutover without the Newco certificate deployed breaks inspected applications, and devices brought live without Newco FortiGuard entitlements run with stale protection. The fix is to sequence the certificate and the subscriptions ahead of cutover. A PMO maintains the dependency map across the fabric, the network, endpoint, and identity, escalating blocks inside forty eight hours.
A clean Fortinet separation produces a Newco that owns its own fabric, its own policy and logging, and its own protection subscriptions, with the optionality to evolve its security architecture on its own timeline. The discipline runs through the TSA exit acceleration program under a Fixed Fee plus Portfolio Retainer engagement model.
Yes. The clean end state is a dedicated Newco estate with its own FortiManager for policy and its own FortiAnalyzer for logging and reporting. A shared seller fabric keeps Newco traffic and logs under seller management and seller visibility, which is unacceptable beyond a short bridge.
The FortiGate fabric controls internet access, inbound services, and inspection for every site. If Newco still transits the seller fabric on Day One, the seller sees Newco traffic and can cut it. The fabric and baseline policy must be on Newco infrastructure by Day One even if tuning continues afterward.
FortiGuard and FortiCare entitlements are tied to device serial numbers the seller registered and do not transfer automatically. Newco arranges its own subscriptions for the devices it retains, sized to its real footprint, and provisions them to be live before the devices carry production traffic.
A baseline fabric and policy can stand up in weeks for Day One, gated by appliance lead time, but full policy tuning, the FortiAnalyzer logging cutover, and decommissioning usually run two to four months as sites and applications are validated and migrated.
NGFW and Panorama split, Prisma Access tenant, and the GlobalProtect cutover.
Read the article →Dashboard organization split, device moves, and the Auto VPN rebuild.
Read the article →The network workstream and how the perimeter fits the Day One plan.
Read the article →The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.
No spam. Unsubscribe in one click. · Read the overview first →

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.
Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.
Exit the seller's security stack first. Every week of shared security is a week of shared blast radius on a business they no longer own.
One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.
Subscribe to The Day One Letter →