Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FrankY1
Staff
Staff

Created on ‎08-25-2025 10:17 PM Edited on ‎09-08-2025 01:21 AM By Moderator

Article Id 407120

Technical Tip: Understanding Configuration Checksum on FortiGate

Description This article describes the purpose and behavior of the config checksum on FortiGate. It explains how the checksum is used for config restore purposes and how it can be verified using the 'diagnose sys csum' command.
Scope FortiGate (VM/Physical) v7.0.x, v7.2.x, v7.4.x, v7.6.x.
Solution

Understanding Configuration Checksums on FortiGate:

The configuration (config) checksum on FortiGates serves as a verification mechanism during configuration restores. It ensures the integrity of the restored configuration by allowing administrators to compare the checksum of the running config against the original file. The current config checksum can be reviewed using the CLI command 'diagnose sys csum', which displays the checksum value for the active configuration. 

 

Update Trigger:

The checksum is updated only when a configuration restore is performed. If no restore has occurred since the device was initialized or reset, the checksum will display as all zeros (for example, 00000000000000000000000000000000).

 

Verification Process:

After a restore, compare the device's checksum with the original configuration file's checksum to confirm a successful and unaltered restore.

 

Example: 

On a FortiGate that has never undergone a configuration restore, the output of diagnose sys csum shows all zeros:

 

dia_sys_csum_before.png

 

After performing a restore, the checksum updates to reflect the restored configuration:

 

dia_sys_csum_after.png

 

Compare this with the original configuration file's checksum. The values should match for verification:

 

original_config_file.png

 

For physical FortiGate appliances, configurations can be restored from a USB drive using the following command:

 

exe restore config usb <file-name>

 

To verify the checksum of a configuration file stored on a USB drive before or after restoration:

 

diagnose sys csum usb/<file-name>

 

Advanced Usage:

Verifying Specific Configuration Files. The 'diagnose sys csumcommand supports an optional file path argument, allowing administrators to calculate the checksum for a specific configuration file. This is particularly useful for collecting indicators of compromise (IoCs) and debugging

 

Important note:

FortiGate does not store configurations in a single file. Instead, they are distributed across multiple files in the /data/config directory. Firmware images are stored in dedicated flash memory partitions and are not accessible via CLI commands or user-level operations.

 

Related articles:

Technical Tip: Collect Indicators of Compromise (IoC) debugs on a FortiGate (VDOM and non-VDOM) manu... 

Technical Tip: Troubleshooting a checksum mismatch in a FortiGate HA cluster
Labels:
157
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.