New Member

Solved

Downgrading 40F - without losing configuration ?

Forum|Forum|1 year ago
April 7, 2025
4 replies
1833 views

I'm running 40F with the latest version, it has FortiSwitch connected to it and managed by the 40F running the latest firmware as well, and 831F access points connected to the FortiSwitch, using the latest firmware managed by the 40F.

I understand that the recommended version is 7.2 and we're running 7.6

looking at the downgrade guides it says that the configuration would be saved.

is there a way to downgrade remotely without losing configuration ? or the only path is to downgrade and re-configure everything manually again ?

FortiGate

Best answer by atakannatak

Hi @shlomim ,

Fortinet recommends different version depends on the hardware based on the below link. Versions in the 7.6 series are also supported by Fortinet. Yes, it maybe possible to downgrade a FortiGate without losing the configuration, if you follow the right process. However, there are risks and limitations, especially when moving from a higher major version (like 7.6) to a lower one (like 7.2), due to potential config syntax differences and features not supported in older versions. To retain configuration, you can manually edit the saved 7.6 config to fit 7.2 or use FortiConverter.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-Release-for-FortiOS/ta-p/227178

First, back up the entire configuration, including FortiSwitch and AP configs, to ensure you can recover if necessary. After that there are two key points you should keep in mind:

During major version transitions (whether upgrading or downgrading), you may encounter issues such as configuration incompatibilities or syntax errors due to changes in the FortiOS architecture.
It’s essential to check the version compatibility of FortiSwitch and FortiAP devices. After a downgrade, FortiGate may not be able to function properly as a controller if there are version mismatches.

However, remote downgrades always carry risk—if something goes wrong during reboot, you may lose access—so it’s recommended to do this during a maintenance window and, if possible, have out-of-band access.

BR.

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

CCIE #68781

atakannatakAnswer

Explorer

Hi @shlomim ,

Fortinet recommends different version depends on the hardware based on the below link. Versions in the 7.6 series are also supported by Fortinet. Yes, it maybe possible to downgrade a FortiGate without losing the configuration, if you follow the right process. However, there are risks and limitations, especially when moving from a higher major version (like 7.6) to a lower one (like 7.2), due to potential config syntax differences and features not supported in older versions. To retain configuration, you can manually edit the saved 7.6 config to fit 7.2 or use FortiConverter.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-Release-for-FortiOS/ta-p/227178

First, back up the entire configuration, including FortiSwitch and AP configs, to ensure you can recover if necessary. After that there are two key points you should keep in mind:

During major version transitions (whether upgrading or downgrading), you may encounter issues such as configuration incompatibilities or syntax errors due to changes in the FortiOS architecture.
It’s essential to check the version compatibility of FortiSwitch and FortiAP devices. After a downgrade, FortiGate may not be able to function properly as a controller if there are version mismatches.

However, remote downgrades always carry risk—if something goes wrong during reboot, you may lose access—so it’s recommended to do this during a maintenance window and, if possible, have out-of-band access.

BR.

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

CCIE #68781

AEK

SuperUser

Currently the recommended FOS versions for FG-40F is 7.4.7.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-Release-for-FortiOS/ta-p/227178

Regarding the downgrade, if you have a valid and up-to-date backup of your box when it was 7.4.x then just push the firmware and restore the config.

Otherwise know that a downgrade may lead to inconsistent configuration.

AEK

ro-tech

New Member

Hi, in case anyone stumbles across this, here's a brief review:

Fortigate 40F, firmware 7.6.2, config saved

Downgraded to 7.4.8 Config was adopted

BUT: CLI no longer worked from the GUI, CLI worked fine via SSH connection.

We then: upgraded to 7.6.3 (yes, to 7.6.3, because we wanted to downgrade from that version again, hoping the CLI would work again). After restart uploaded the original config (the 7.6.2 config) and downgraded to 7.4.8 again after an another reboot. CLI worked.

First thing to do: check via CLI

"diagnose debug config-error-log read"

(Important: Check the error log immediately after rebooting, as it will be rewritten after the reboot and the downgrade error logs will disappear)

Basically, everything worked without any problems. We had a few errors in the log, but none that seemed important to us. Login worked, IPSec VPN was OK, and policies and addresses were all still correct.

Exept one thing: the SSL VPN environment in the GUI had disappeared.

Using "config system settings set gui-sslvpn enable end" we were able to display it again in the GUI.

But there's still some work to be done via the CLI. Using "config vpn ssl settings show" it was clear that some elements of the SSL VPN configuration were missing, such as settings, certificate assignment, portals, user groups, etc. You can add all of the missing stuff via CLI and some of it in GUI-Mode. Maybe u take a look at a older config-backup.

We handled everything remotely, and except for the reboots - our customer was able to continue working normally.

RC, ro.