Skip to main content
mcegielka
mcegielka
Explorer
August 21, 2025
Question

Fortigate 40F v7.2.11 loses part of config

  • August 21, 2025
  • 5 replies
  • 1878 views

Hi all,

 

I have around 45 FortiGates 40F-3G4G with FortiOS version 7.2.11 that I registered with a FortiManager-VM version 7.4.7. It happened to me about 6 times that our Fortigates lost part of their configuration after a sudden power outage. All settings for IPSec VPNs disappeared, together with policy and static route that were referencing them. Among settings that remained are central management address and tunnel interface that was associated with the VPN:

 
Interfaces list screenshotInterfaces list screenshot
 
I'm using the following pre-run CLI script in FortiZTP:
config system global
set timezone 29
end
config vpn ipsec phase1-interface
edit "Administrative"
set interface "wwan"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set localid "{{fgt-sn}}"
set dhgrp 19 18 17
set remote-gw <HQ_IP_address>
set psksecret <PSK>
next
end
config vpn ipsec phase2-interface
edit "Administrative"
set phase1name "Administrative"
set proposal aes256-sha256 aes256gcm chacha20poly1305
set dhgrp 19 18 17
set auto-negotiate enable
next
end
config firewall policy
edit 0
set name "Admin->Admin"
set srcintf "Administrative"
set dstintf "Administrative"
set action accept
set srcaddr "none"
set dstaddr "none"
set schedule "always"
set service "ALL"
set comments "Policy needed to start the administrative VPN"
next
end
config router static
edit 0
set dst <HQ_IP_address> 255.255.255.255
set device "wwan"
set dynamic-gateway enable
next
edit 0
set dst {{fmg-ip}} 255.255.255.255
set device "Administrative"
next
end
config system central-management
set type fortimanager
set allow-remote-lte-firmware-upgrade enable
set serial-number "{{fmg-sn}}"
set fmg "{{fmg-ip}}"
end

I found some information about VPNs disappearing, but none of the cases were exactly like mine. Is this any known bug in 7.2.11 version? Should I upgrade to 7.4?

 

Thanks!

 

5 replies

BillH_FTNT
Staff
BillH_FTNT
Staff
August 21, 2025

Hi @mcegielka 

I am Bill from Fortinet. I would like to reproduce the issue in my lab. Could you please share the full configuration of FortiGate with me through the official email bhoang@fortinet.com ?

Thank you 

Bill

 

    wokulbo1
    wokulbo1
    New Member
    August 21, 2025

    Updated a 40F over an hour ago. Early, but good so far. Memory usage running at 64-65%. Used to stay at 67-68% while on 7.2.10 except signature updates would push into conserve/critical status. Will see how overnight goes.

      mcegielka
      mcegielkaAuthor
      Explorer
      August 22, 2025

      Hi @BillH_FTNT , I sent you configuration by email, thank you for this.

       

      @wokulbo1 We do not have licenses for UTM features, as we use these FG40 only for IPSec and SD-WAN and I did not observe any problems with memory on them. 

      NetworkR4
      NetworkR4
      Visitor III
      September 2, 2025

      We are observing this behavior, config loss at 40F, apparently it is linked to many memory errors (extreme low memory mode)... run this kb and see if it solves it.. our fgts in this scenario are under observation.. change your ISDB database to on demand, and performed these steps, from this kb I recommend not customizing session time and ttl.. it is not necessary. The topics 1, 7, 9 10 and 12 we have a 7% memory gain, check your cpu after this adjustment. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Low-end-FortiGate-models-with-RAM-2GB-entering/ta-p/295489

       

        mcegielka
        mcegielkaAuthor
        Explorer
        September 9, 2025

        Hi @NetworkR4,

        Thank you for your answer. We haven't noticed any problems with lack of free memory. Fortunately, we have not had any new cases of configuration loss to date. I suspect these might have been one-off events due to me using FortiZTP to deprovision Fortigates from FortiCloud and provision them to FortiManager-VM on-site.

        thelonerangers
        thelonerangers
        New Member
        December 5, 2025

        Just wanted to add to this topic, but I've been seeing this issue quite a bit.  We have about 60 locations running 60F on 7.2.8.  It looks to be related to power outages and when they come back online, most configuration changes are lost.  Some times as far back to when they were first deployed.  These locations are all identical.  Same hardware, same image, same starting point as far as a config file goes (all were deployed from a single template configuration).  Dealing with a fresh issue today.  Device rebooted and the wan1 interface reverted to DHCP but keep all the static routes and gateways in place.  We are planning on upgrading these but beyond that, at a total loss to explain it.

         

        I'd also like to point out, that while we do infact use the manual configuration save setting, we are performing the save configuration set.  In fact we've flipped a few of these back to automatic which did not help.

        BillH_FTNT
        Staff
        BillH_FTNT
        Staff
        December 5, 2025

        Hi @thelonerangers 

        I recall that our Engineering team has already investigated this issue. I will look up the information. Meanwhile, if you have a FortiCare ticket, please share it with me; I will also gather details from that. Thank you

        Bill

          thelonerangers
          thelonerangers
          New Member
          December 8, 2025

          Thanks Bill,  I've found the KB article below.  We will start the upgrade process for our locations.  Thanks.

           

          https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-models-may-lose-part-of-their/ta-p/406302

            Terms & ConditionsAccessibility statement