Fortigate 40F v7.2.11 loses part of config

mcegielka · ‎08-21-2025

Hi all,

I have around 45 FortiGates 40F-3G4G with FortiOS version 7.2.11 that I registered with a FortiManager-VM version 7.4.7. It happened to me about 6 times that our Fortigates lost part of their configuration after a sudden power outage. All settings for IPSec VPNs disappeared, together with policy and static route that were referencing them. Among settings that remained are central management address and tunnel interface that was associated with the VPN:

Interfaces list screenshot

I'm using the following pre-run CLI script in FortiZTP:

config system global
set timezone 29
end
config vpn ipsec phase1-interface
edit "Administrative"
set interface "wwan"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set localid "{{fgt-sn}}"
set dhgrp 19 18 17
set remote-gw <HQ_IP_address>
set psksecret <PSK>
next
end
config vpn ipsec phase2-interface
edit "Administrative"
set phase1name "Administrative"
set proposal aes256-sha256 aes256gcm chacha20poly1305
set dhgrp 19 18 17
set auto-negotiate enable
next
end
config firewall policy
edit 0
set name "Admin->Admin"
set srcintf "Administrative"
set dstintf "Administrative"
set action accept
set srcaddr "none"
set dstaddr "none"
set schedule "always"
set service "ALL"
set comments "Policy needed to start the administrative VPN"
next
end
config router static
edit 0
set dst <HQ_IP_address> 255.255.255.255
set device "wwan"
set dynamic-gateway enable
next
edit 0
set dst {{fmg-ip}} 255.255.255.255
set device "Administrative"
next
end
config system central-management
set type fortimanager
set allow-remote-lte-firmware-upgrade enable
set serial-number "{{fmg-sn}}"
set fmg "{{fmg-ip}}"
end

I found some information about VPNs disappearing, but none of the cases were exactly like mine. Is this any known bug in 7.2.11 version? Should I upgrade to 7.4?

Thanks!

Just stirring the tea doesn't make it sweeter.

BillH_FTNT · ‎08-21-2025

Hi @mcegielka

I am Bill from Fortinet. I would like to reproduce the issue in my lab. Could you please share the full configuration of FortiGate with me through the official email bhoang@fortinet.com ?

Thank you

Bill

wokulbo1 · ‎08-21-2025

Updated a 40F over an hour ago. Early, but good so far. Memory usage running at 64-65%. Used to stay at 67-68% while on 7.2.10 except signature updates would push into conserve/critical status. Will see how overnight goes.

mcegielka · ‎08-22-2025

Hi @BillH_FTNT , I sent you configuration by email, thank you for this.

@wokulbo1 We do not have licenses for UTM features, as we use these FG40 only for IPSec and SD-WAN and I did not observe any problems with memory on them.

Just stirring the tea doesn't make it sweeter.

NetworkR4 · ‎09-02-2025

We are observing this behavior, config loss at 40F, apparently it is linked to many memory errors (extreme low memory mode)... run this kb and see if it solves it.. our fgts in this scenario are under observation.. change your ISDB database to on demand, and performed these steps, from this kb I recommend not customizing session time and ttl.. it is not necessary. The topics 1, 7, 9 10 and 12 we have a 7% memory gain, check your cpu after this adjustment. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Low-end-FortiGate-models-with-RAM-2GB-ente...

mcegielka · ‎09-09-2025

Hi @NetworkR4,

Thank you for your answer. We haven't noticed any problems with lack of free memory. Fortunately, we have not had any new cases of configuration loss to date. I suspect these might have been one-off events due to me using FortiZTP to deprovision Fortigates from FortiCloud and provision them to FortiManager-VM on-site.

Just stirring the tea doesn't make it sweeter.

Fortigate 40F v7.2.11 loses part of config

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website