Description
This article describes how to import the configuration file from one FortiGate to a different FortiGate or firmware.
Scope
FortiGate.
Solution
Fortinet Support for the import of a configuration file between different hardware models or firmware versions.
It is only officially supported to import configuration files between the same hardware model and firmware version.
This is because there can be configuration syntax differences between firmware versions as well as hardware models. For example, prior to FortiOS 6.4, SD-WAN is configured under 'config system virtual-wan-link', while in 6.4 and newer it's under 'config system sdwan'.
In addition, the interface mappings and other features may not be the same across different hardware models. Attempting to import such a configuration can have unexpected consequences and may not function as desired.
Fortinet Technical Support (TAC) does not provide support for modified configuration files that were initially from another FortiGate (for example, changing the interface names in the config file to match the newer FortiGate model), however parts of the configuration can be restored manually by copying the required configuration parts from the old backup configuration file to new configuration file (for example, address objects or some other settings).
Recommended Solution: It is recommended that the FortiConverter service is used for this task.
The FortiConverter service is sold as a one-time service to convert a third-party or older FortiOS configuration to the latest FortiOS for the new FortiGate.
The FortiConverter service offers the possibility to convert the configuration correctly and is the only supported way the configuration can be migrated automatically to prevent any human errors when re-configuring the new unit via either open a ticket with our FortiConverter team at https://service.forticonverter.com/ or use the FortiConverter tool to convert manually.
From FortiOS 7.4.0 and above, the FortiConverter ticket can be opened when going through initial setup page on the GUI of the ForitGate instead of accessing the portal, refer to this article for more information: Technical Tip: Migrating from an older FortiGate d... - Fortinet Community.
Once the ticket is opened with the FortiConverter team, expect the configuration to be ready within a few business days.
There should not be any restriction in terms of the number of configuration conversion to be done when using FortiConverter tool.
For more information regarding FortiConverter, refer to the following documents:
Manual Conversion:
Another possible option would be to manually configure the new FortiGate appliance from factory default settings, by referencing to the settings on the other unit.
However, keep in mind that converting the configuration in such a way can be error prone, as with any other process done manually.
The configuration file from the FortiGate can be viewed from any text editor such as Notepad, vi or Notepad++.
Note:
Refrain from using rich text editors (Microsoft Word, Wordpad, ...) as their formatting features may re-encode ASCII characters into different encodings and create unreadable configuration parts with hard to spot errors (example hyphen ‘-’ vs. ‘‐’).
- Open the backup configuration file from the previous and different FortiGate.
- Download a backup of a new configuration file from the new unit. On FortiGate Admin -> Configuration -> Backup.
- Copy the first four lines from the factory default configuration file, which include config-version, conf_file_ver, buildno, and global_vdom. Then, paste and replace these lines in the backup of the previous configuration file.
Note: If the source FortiGate has a disk and the destination FortiGate is a non-disk model, remove 'config system storage' and 'config log disk setting' configuration section from the previous configuration file. Make sure that all interface names correspond to the new unit.
For example, the previous unit may have had a 'Wan1' interface however the new device has a 'Port1' interface, it is critical to make sure these correspond.Save the new configuration file under a new .conf file. This step is mandatory otherwise when reloading the new configuration file the error message 'configuration file error' will be displayed on the web based interface. - Verify which user admin account was used when saving the configuration file.
Reloading a configuration that was saved under a super_admin account to a simple admin account will display the error message invalid username or password on the web based interface. - On the new FortiGate , go to Admin -> Configuration -> Restore, and upload the edited config file to the new unit.
The unit restarts automatically. - Test the configuration.
- Run 'diag debug config-error-log read' to see if there were any import errors.
It must be noted that modifying .conf files in this manner will not ensure that all profiles will be saved.
This is particularly true if this procedure is used for .conf files being used on different versions of FortiOS.
Note:
If the configuration file is not converted as outlined above, users could encounter the error message 'Invalid configuration file or password required' on the FortiGate GUI.
This error indicates that the configuration file is incompatible with the current firmware version or lacks the necessary password.
To avoid this issue, ensure that the configuration conversion process is followed before restoring the file.
Related document:
Migrating a FortiGate configuration manually using configuration files
