FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 191106
Description
This article describes the system global option 'set cfg-save revert' that can be used during remote changes on a FortiGate and where the operator would like an automatic revert to the previous configuration in case of problems arise (if for example the connection to the FortiGate is lost).

When a config change is made in HA environments, the change is pushed out to other HA members before being saved.
If 'execute cfg save' is not implemented before the time-out, all members will reboot and revert to the previous config.
Other HA members will not take over if the primary reboots to revert to the original configuration.

Solution
The global setting parameter "set cfg-save" dictates the way that configuration changes applied on the FortiGate are saved :

FGT# config system global
FGT# (global) # set cfg-save ?
automatic    automatically save config

manual       manually save config

revert       manually save config and revert the config when timeou

The default setting is "automatic" : in this mode, any changes applied after an "end" or "Apply" will be saved.
  • If set to "revert", an additional global parameter is required, which is the timeout in seconds : "set  cfg-revert-timeout"
!! Once this is applied, any new changes must be saved manually with the command "execute cfg save"within the period of the timeout, otherwise the FortiGate will reboot.

A warning CLI message will be displayed 10s before the reboot :

FGT # System will reboot if no input is received in the next 10 seconds...
System will reboot if no input is received in the next 9 seconds...
System will reboot if no input is received in the next 8 seconds...
System will reboot if no input is received in the next 7 seconds...

Example :

This example explains the use of the cfg-save revert command and its associated event log FortiGate Restarted when newly added configuration is not confirmed.

FG100D_Primary (global) # set cfg-save
automatic    Automatically save config.
manual       Manually save config.
revert       Manually save config and revert the config when timeout.

FG100D_Primary (global) # show full-configuration | grep cfg
set cfg-save automatic

FG100D_Primary (global) # show full-configuration | grep cfg
set cfg-save revert     <<--- Changed from automatic to revert
set cfg-revert-timeout 600   <<--- (10 Minutes)

FG100D_Primary (lan) # set role
lan          Connected to local network of endpoints.
wan          Connected to Internet.
dmz          Connected to server zone.
undefined    Interface has no specific role.

FG100D_Primary (lan) # set role lan   <<-- Added a new role to the LAN interface configuration in order to generate a new change in the current configuration.
FG100D_Primary (lan) # end

FG100D_Primary (lan) # show full-configuration | grep role
set role lan   <<-- New configuration added to interface 

FG100D_Primary (lan) # show full-configuration | grep role
set role undefined  <<-- The newly added configuration of role on the interfaces was never added to the current configuration due to the “timeout” of 600 seconds, (10 Minutes) expired and the newly added configuration was never confirmed generating the event log “Fortigate Restarted” under system events.

010101_restarted.PNG




Contributors