Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
comas17
New Contributor

Migrate configuration to another device (60C -> 60D)

Hi all

we are using a Fortigate 60 C  - v4.0,build5849,110804 (MR2) (Which patch is ? I'd like to upgrade but I cannot understand which is the correct path..)

 

We have bought a new Fortigate 60 D  - v5.0,build4459 (GA)

How can I migrate all configuration from the old one to the new one ? Can I simply backup the configuration in the 60C and restore in 60D ?

Thank you

 

Corrado

4 REPLIES 4
Dave_Hall
Honored Contributor

The Supported Upgrade Paths document outlines the min. number of firmware upgrades you will need to follow to upgrade the 60C -- ideally, you will want to get the 60C to the same firmware to match the 60D.

 

Glancing at the quick start guides for both the 60C and 60D it looks like they have the same ports, so you should be able to save an unencrypted backup config from the 60C, replace the top line of the config with one from the 60D, load that into the 60D.  After you load the config onto the 60D, perform a "diag debug config-error-log read" on the CLI to check for any errors.

#config-version=FG200D-5.00-FW-build271-140409:opmode=0:vdom=0:user=xxxxx #conf_file_ver=3745559791608203076 #buildno=3608 #global_vdom=1

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

comas17

Hi Dave

I've seen the document about upgrade path but I cannot understand which is my 60C firmware; it says Firmware Versionv4.0,build5849,110804 (MR2)

In the upgrade path (here for example: http://docs.fortinet.com/uploaded/files/1033/Supported%20Upgrade%20Paths%20for%20FortiOS%20Firmware%...) I cannot find this build number...

Can you help me ?

Fortigate 60C and 60D are very similar, 60C has only 5 internal lan ports, 60D has 7

Thank you

 

EDIT: uhm... I think I found the answer...I opened a configuration backup file and the first line is

#config-version=FGT60C-4.00-FW-build328-110804

I can find it in the upgrade path... 4.0 MR2 Patch 8 ...

Thank you

Dave_Hall
Honored Contributor

comas17 wrote:

Fortigate 60C and 60D are very similar, 60C has only 5 internal lan ports, 60D has 7

 

Importing the config should still work, assuming the LAN ports are similarly labelled in both devices. 

 

Things to watch out for when you upgrade between major firmware releases (e.g. going from 4.0 MR2->4.0 MR3->5.0, etc) is certain features may have be bumped/moved around/or removed.  Read the patch notes (e.g. 4.0 MR3 patch1, 5.0.1, 5.2.1, etc.) to see what was removed/need to fix. 

 

Do perform "diag debug config-error-log read" on the CLI after each upgrade.

 

Also check/confirm you have no spaces or other non-standard chars in your firewall address/labels/names, etc. as the "scripted conversion process" performed on the config during the firmware upgrade can mess up on those. e.g. a web filter name like "This is my web filter" could get truncated down to "This".

 

Personally, with 5.x being so different to previous firmware releases, I would just rebuild the config from scratch, using the old config as a template.  Since you have access to both devices, you can open the GUIs side-by-side each to other while you code/build the new config on the 60D.    Rebuilding the config from scratch will also remove any obsolete or unused settings still left on the old config and also gives you the chance to streamline it or add something that you couldn't do before. YMMV.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

emnoc
Esteemed Contributor III

agreed

 

I would do it in MS/Word or use unix VI and find substitute  where required. Start with  the global stuff, admin, dhcp, address, addrgrp, than last firewall policies & VPNs .

 

I'm guessing with a 60C you don't have a lot of policies so this should be like a 30min or less job.

 

 

PCNSE 

NSE 

StrongSwan