FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmarcuccetti
Staff
Staff
Article Id 197247

Description


Importing the configuration file from one FortiGate to a different FortiGate model or firmware.

Fortinet Support for the import of a configuration file between different hardware models or firmware versions.

It is only officially supported to import configuration files between the same hardware model and firmware version. 

This is because there can be configuration syntax differences between firmware versions as well as hardware models. For example, prior to FortiOS 6.4, SD-WAN is configured under 'config system virtual-wan-link', while in 6.4 and newer it's under 'config system sdwan'.

In addition, the interface mappings and other features may not be the same across different hardware models. Attempting to import such a configuration can have unexpected consequences and may not function as desired.

Fortinet Technical Support does not provide support for modified configuration files that were initially from another FortiGate (for example, changing the interface names in the config file to match the newer FortiGate model), however parts of the configuration can be restored manually by copying the required configuration parts from the old backup configuration file to new configuration file (for example, address objects or some other settings).

Recommended Solution


It is recommended that the FortiConverter service is used for this task.

The FortiConverter service is sold as a one-time service to convert a third-party or older FortiOS configuration to the latest FortiOS for the new FortiGate.
The FortiConverter service offers the possibility to convert the configuration correctly and is the only supported way the configuration can be migrated automatically. For more information regarding FortiConverter please see the following documents:

 

Data sheet: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiConverter.pdf 

FAQ: https://docs.fortinet.com/document/forticonverter-service/20.1.0/online-help/933819/general-faqs

 

Manual Conversion


Another possible option would be to manually configure the new FortiGate appliance from factory default settings, by referencing to the settings on the other unit.

However, keep in mind that converting the configuration in such a way can be error prone, as with any other process done manually.
The configuration file from the FortiGate can be viewed from any text editor such as Notepad, vi or Notepad++.

 

Note:

Refrain from using rich text editors (Microsoft Word, Wordpad, ...) as their formatting features may re-encode ASCII characters into different encodings and create unreadable configuration parts with hard to spot errors (example hyphen ‘-’ vs. ‘‐’).

1) Open the backup configuration file from the previous and different FortiGate.
2) Download a backup of a new configuration file from the new unit.
On FortiGate Admin -> Configuration -> Backup.


3) From the factory default configuration file copy the 'config-version', and paste this value and replace in the backup of the previous configuration file.
Make sure that all interface names correspond to the new unit. 
For example, the previous unit may have had a 'Wan1' interface however the new device has a 'Port1' interface, it is critical to make sure these correspond.

 
Save the new configuration file under a new .conf file.
This step is mandatory otherwise when reloading the new configuration file the error message 'configuration file error' will be displayed on the web based interface.

 
Only copy the 'config-version' section of the first line of the config file from the device being copied.
In this way, upon conversion to the new device, the correct 'VDOM' and 'opmode' settings will be applied.

 
4) Verify which user admin account was used when saving the configuration file.
Reloading a configuration that was saved under a super_admin account to a simple admin account will display the error message invalid username or password on the web based interface.

 
5) On the new FortiGate , go to Admin -> Configuration -> Restore, and upload the edited config file to the new unit. 
The unit restarts automatically.

 
6) Test the configuration.

7) Run a # diag debug config-error-log read to see if there were any import errors.

It must be noted that modifying .conf files in this manner will not ensure that all profiles will be saved.
This is particularly true if this procedure is used for .conf files being used on different versions of FortiOS.

Contributors