Transports Publics Fribourgeois - TPF

Logo TPF

Secure firewall migration
CIS Standardisation and BI/AI-Assisted Preparation for a Public Transport Operator

 


About Transports Publics Fribourgeois (TPF): 

TPF is a major public transport operator in Switzerland, managing rail and bus networks in the canton of Fribourg and surrounding areas. The company transports millions of passengers each year and plays a key role in regional mobility. Its operations rely on IT systems supporting both operational activities, traffic management, and passenger services. These environments require high availability, constant reliability, and strict change control, as any disruption can have a direct impact on operations and users.

 

« The migration went as planned, with no surprises. The result: a real gain in visibility over our network perimeter and deadlines met. »

Lambert Vincent
IT Security Manager at TPF

 

The challenge


The project involved migrating an existing firewall environment to a Fortinet-based infrastructure, with the goal of standardising the security level while ensuring service continuity.

Firewall migrations are often carried out manually, sometimes with the help of conversion tools that reproduce the configuration as-is. In practice, this means manually recreating or adjusting rules, which can lead to object mapping errors, inconsistencies in rule ordering, missing dependencies, or overly permissive rules.

The environment also imposed significant operational constraints. The migration had to be completed within limited maintenance windows, with strict rollback conditions, requiring high reliability of the target configuration before deployment.
 

The solution


keyIT supported the migration to a Fortinet infrastructure using a structured approach based on preparation and control, rather than simply reproducing existing rules.

The goal was to establish a standardised environment aligned with CIS Level 1 and Level 2 recommendations, while reducing manual interventions and migration-related risks.

In this project, keyIT relied on an analysis of the existing configuration, enhanced by targeted use of Business Intelligence and AI tools, to secure the migration preparation.
 

The results


The migration was completed in three days, compared to the usual five to seven days. No rollback was required, and no critical service was impacted during the transition.

The approach reduced manual interventions and avoided the risks associated with VLAN-by-VLAN migrations, including configuration errors, service interruptions, and extended overnight interventions.

The resulting environment features clearer segmentation, a more consistent rule structure, and a reduced risk of misconfiguration.
 

Key implementations


- Security Configuration Baseline and Alignment: The Fortinet environment was deployed from a standardised configuration aligned with CIS Level 1 and Level 2 recommendations, establishing a consistent security baseline

- Controlled Migration and Validation:  The migration was carried out in phases, VLAN by VLAN, following a controlled deployment approach within planned maintenance windows.

- Rule Analysis and Migration Preparation: The existing ruleset was extracted and structured into usable data.

Power BI was used to analyse this data, identify duplicates, inconsistencies, and dependencies, and prepare the migration more efficiently.
Copilot was used to support rule normalisation and consistency, helping reduce human errors, streamline transformation operations, and shorten migration timelines.