Hello,
We have a FG100D as our main router and got a FG60D from a closed remote office.
I would like to use the FG60D as a backup router.
Is it possible to do so as a cluster between the FG100D and FG60D ?
Or is it possible to backup the configuration of the FG100D and restore it to the FG60D ?
I tried to do that but it seems it's not working from scratch :
[ul]Both units are in 5.2.13 firmware.
Thank you for your help,
Regards,
Fred
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can import the foreign config into the 60D but you will have to adjust it beforehand. Chances are that the number of ports and maybe their names are different.
As a means of last resort one could do that. Every time you change the config on the 100D you would have to adjust the 60D config as well. Your call.
If you want to create a redundant pair of firewalls with different hardware you could go the VRRP way. But, no config sync either, and failover time is slow in comparison.
IMHO getting a used 100D and new contract(s) would be much more efficient.
Hi Fred.
You would need to replace the header line (first line) on the 200D config with the header line from a copy of the 60D config before importing (loading) the "modified" config on to the 60D. Assuming you are not using anything fancy, the only "real" difference in porting a modded config would be the 200D's 14-port switch vs the 60D's 7-port switch. But as Ede indicated the internal interface ports may be named differently. Not having access to a 60D, I would assume the internal interface on it are in switch mode by default, whereas the ports 1-through-8 on the 100D are a switch + individual ports (9 though 14) - just guessing on this. (If these fgts are firmware upgradable to 5.4 or higher, the internal ports should be all converted to a hardware switch with individual port members and thus named similarly - someone correct me on this, though.)
I would follow Ede' suggestion. However, if you do plan to import a modded 200D config over to the 60D, perform a diagnose debug config-error-log read from the CLI after that first boot to see what has messed up and edit the modded config accordingly.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Didn't Fortinet have a converter tool available in the Fortinet Support Portal Download section?
Maybe this does that the easy way (alas it still supports v5.2)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
yes they do, but it's not for free anymore. The 1 year licence is about 4.300 EUR, and for some models they offer a one-time service (FC-10-FGxxx-189-02-DD). This will cost between 20 EUR and 14.750 EUR.
Unfortunately, it's not available for the 100D.
Hi,
THank you everyone for your answers.
I almost managed to convert my FG100D config file to FG60D with the following changes :
[ul]The config is then correctly imported to FG60D.
Unfortunately, I have to stop here as I discovered that the FG60D doesn't support link aggregate :(
Regards,
Frederic
Notepad++ is good for migrating and comparing configs using the compare plugin.
Sometimes it's necessary to migrate an old config from a C series to an E series. Depending on the models (where there is no overlap in firmware versions), it's helpful to have an intermediary D model to ensure you follow the recommended upgrade paths when migrating.
When changing the headers, ensure the values are the same or you will have odd problems when you try to login.
#config-version=FGT60E-6.0.3-FW-build0200-181009:opmode=0:vdom=0:user=admin #conf_file_ver=14264913538227404 #buildno=0200 #global_vdom=1
Map your interface names across. Some models have wan1, some have wan, some have ports labelled lan, internal or port.
Once you know the port mapping, find and replace all "wan1" with "wan" for example (including quotes) for each interface mapping.
Backup the config and reboot.
Check for any errors at each stage or end of the process with the command: diagnose debug config-error-log read
Use the Notepad++ compare plugin to see the differences between the original config and the new one.
Side notes to Ede's suggestion. Unlike Cisco who has registration ripping-off policy, Fortinet doesn't let the new owner of a FGT reregister it unless the registered owner is reachable and agreed to release the registration. I had a first-hand experience when I bought an used 50E and the registered owner refused to release it when FTNT reached him. So some risk is associated with an used one.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1667 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.