Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FredMB
New Contributor

Export configuration from FG100D to FG60D

Hello,

 

We have a FG100D as our main router and got a FG60D from a closed remote office.

I would like to use the FG60D as a backup router.

 

Is it possible to do so as a cluster between the FG100D and FG60D ?

 

Or is it possible to backup the configuration of the FG100D and restore it to the FG60D ? 

I tried to do that but it seems it's not working from scratch :

[ul]
  • Importing the config directly returns an error.
  • So I edited the config file and changed the config-version from FG100D to FGT60D. The configuration was imported but it seems I didn't get any more access to the FG60D and I had to do a hard reset.[/ul]

    Both units are in 5.2.13 firmware.

     

    Thank you for your help,

     

    Regards,

     

    Fred

     

  • 7 REPLIES 7
    ede_pfau
    Esteemed Contributor III

    You can import the foreign config into the 60D but you will have to adjust it beforehand. Chances are that the number of ports and maybe their names are different.

    As a means of last resort one could do that. Every time you change the config on the 100D you would have to adjust the 60D config as well. Your call.

    If you want to create a redundant pair of firewalls with different hardware you could go the VRRP way. But, no config sync either, and failover time is slow in comparison.

     

    IMHO getting a used 100D and new contract(s) would be much more efficient.


    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    Ede"Kernel panic: Aiee, killing interrupt handler!"
    Dave_Hall
    Honored Contributor

    Hi Fred.

     

    You would need to replace the header line (first line) on the 200D config with the header line from a copy of the 60D config before importing (loading) the "modified" config on to the 60D.  Assuming you are not using anything fancy, the only "real" difference in porting a modded config would be the 200D's 14-port switch vs the 60D's 7-port switch.  But as Ede indicated the internal interface ports may be named differently.  Not having access to a 60D, I would assume the internal interface on it are in switch mode by default, whereas the ports 1-through-8 on the 100D are a switch + individual ports (9 though 14) - just guessing on this.  (If these fgts are firmware upgradable to 5.4 or higher, the internal ports should be all converted to a hardware switch with individual port members and thus named similarly - someone correct me on this, though.)

     

    I would follow Ede' suggestion.   However, if you do plan to import a modded 200D config over to the 60D, perform a diagnose debug config-error-log read from the CLI after that first boot to see what has messed up and edit the modded config accordingly.

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
    sw2090
    Honored Contributor

    Didn't Fortinet have a converter tool available in the Fortinet Support Portal Download section?

    Maybe this does that the easy way (alas it still supports v5.2)

    -- 

    "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

    -- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
    ede_pfau
    Esteemed Contributor III

    yes they do, but it's not for free anymore. The 1 year licence is about 4.300 EUR, and for some models they offer a one-time service (FC-10-FGxxx-189-02-DD). This will cost between 20 EUR and 14.750 EUR.

    Unfortunately, it's not available for the 100D.


    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    Ede"Kernel panic: Aiee, killing interrupt handler!"
    FredMB
    New Contributor

    Hi,

     

    THank you everyone for your answers.

     

    I almost managed to convert my FG100D config file to FG60D with the following changes :

    [ul]
  • First line : replace FG100D by FGT60D
  • Remove mgmt interface
  • Remove ha1 + ha2 interfaces
  • Remove port8 to port16
  • replace port(\d+) by internal$1 (using notepad++ works fine)[/ul]

    The config is then correctly imported to FG60D.

     

    Unfortunately, I have to stop here as I discovered that the FG60D doesn't support link aggregate :(

     

    Regards,

     

    Frederic

     

  • Paul_Dean

    Notepad++ is good for migrating and comparing configs using the compare plugin.

     

    Sometimes it's necessary to migrate an old config from a C series to an E series. Depending on the models (where there is no overlap in firmware versions), it's helpful to have an intermediary D model to ensure you follow the recommended upgrade paths when migrating.

     

    When changing the headers, ensure the values are the same or you will have odd problems when you try to login.

     

    #config-version=FGT60E-6.0.3-FW-build0200-181009:opmode=0:vdom=0:user=admin #conf_file_ver=14264913538227404 #buildno=0200 #global_vdom=1

     

    Map your interface names across. Some models have wan1, some have wan, some have ports labelled lan, internal or port.

     

    Once you know the port mapping, find and replace all "wan1" with "wan" for example (including quotes) for each interface mapping.

     

    Backup the config and reboot.

     

    Check for any errors at each stage or end of the process with the command: diagnose debug config-error-log read

     

    Use the Notepad++ compare plugin to see the differences between the original config and the new one.

    NSE4
    NSE4
    Toshi_Esumi
    Esteemed Contributor III

    Side notes to Ede's suggestion. Unlike Cisco who has registration ripping-off policy, Fortinet doesn't let the new owner of a FGT reregister it unless the registered owner is reachable and agreed to release the registration. I had a first-hand experience when I bought an used 50E and the registered owner refused to release it when FTNT reached him. So some risk is associated with an used one.

    Labels
    Top Kudoed Authors