Make sure that both FortiGates are the same model, as configuration migration between different FortiGates is supported only through FortiConverter services.  

• It is recommended to have local access to the firewall via a console cable. However, this task can also be performed using remote management access. Console access is the preferred method.
• Take a configuration backup using either the GUI or CLI. For encrypted backups, a password is required to restore the configuration on the new device. Configuration backups and reset.
• If VDOMs are enabled on the old FortiGate:
• The new FortiGate must have the appropriate license if more than 10 VDOMs are needed, as most FortiGate models support only up to 10 VDOMs by default.
  
  
• To check the maximum number of VDOMs supported on the current FortiGate, use the command:

get system status | grep Max
                   

• If the configuration migration is performed remotely:
• Make note of the management IP/Mask to regain remote access to the firewall.
• Ensure that the computer/Laptop has access to the management IP
  
  
• If any local-in policies or trusted hosts are configured for admin management access:
• Ensure the connecting computer is on the same IP/subnet listed in the trusted host settings. Otherwise, GUI/SSH access will not be established.
• Confirm that the management interface status is up.
  
  
• If multifactor authentication (MFA) is configured for firewall admin users:
• It should be removed from the configuration before migration.
• FortiTokens are tied to a FortiGate's serial number, and FortiTokens from the old device will not work on the new one.
•  By design, FortiTokens (except the hardware FortiToken-211 and FortiToken-300 series) are always linked to the serial number of the unit on which they are activated. If tokens must be moved to another unit, the Token license (Mobile Tokens) or Token seed (Hardware Tokens) should be transferred and manually added to the new unit. For FortiToken Mobile licenses shipped on or after August 4, 2025, license transfer is only permitted for units that were RMA'd.
  Technical Tip: Migrating users and FortiTokens to another FortiGate/FortiAuthenticator 
  Technical Tip: FortiToken Mobile will no longer support License Transfer between different devices 
  
  

• For restoring the configuration in an HA (High Availability) cluster environment, use the following methods:

  Scenario 1: Configuration migration to Primary and Secondary units from the previous standalone unit

  • Keep both cluster units separate and do not connect the network and HA cables to the secondary unit.
  • Restore the configuration file on the primary unit.
  • Edit the config file to:
  • Change the hostname
  • Modify the HA priority and override settings (Override should only be enabled on the unit you want always to become primary. The priority value on that unit should be higher compared to the secondary unit).
  • Restore the config file on the secondary unit through a GUI or CLI 
  • Connect the HA cables, and once the units are in sync, connect the network cables
    Technical Tip: Converting a Standalone FortiGate into a High-Availability (HA) Cluster 
•  Scenario 2: Configuration migration from an existing HA cluster to a new HA cluster of devices
  • The new devices should not be connected to HA initially.
  • Restore the configuration file from the respective old FortiGate to the new device.
  • Connect the HA cables.
  • After the cluster is synced, connect the network cables.

Related documents:

Migrating a FortiGate configuration manually using configuration files - FortiGate 7.6.0 best practi... 

Backing up and restoring configurations in multi-VDOM mode - FortiGate 7.6.3 administration guide 
Migrating a configuration with FortiConverter - FortiGate 7.6.3 administration guide 

Technical Tip: How to load/convert a FortiGate configuration file from one unit to another (file con... 

Technical Tip: Understanding FortiGate Configuration File Format