I have an existing FGT 200E (Standalone). I just purchased 2 new FGT 200Fs. I would like to add the new FGT pair to the existing network, and slowly move each FortiSwitch and FortiAP from being managed by the 200E over to being managed by the new 200F pair. How do I go about adding the new FGTs to the network, and slowly move each device's mgmt over to the new FGTs? Here is my topology. Everything in the diagram is existing EXCEPT for the new FGT pair and 1024E switches they connect to. Those are still in a box waiting to be deployed based on the direction I get here in this post.
It is manly by copying the content of "config switch-controller managed-switch", and any other customized config under "config switch-controller *".
Old FG and new FG should have the same firmware version, and once config migration is done then you can upgrade the firmware of the new one to the recommended version.
Also check this.
Hope it helps.
Hi,
Set Up New FGTs: Connect and configure management IPs for the FGT 200Fs.
Optional HA Setup: If needed, configure HA between the FGT 200Fs.
Migrate FortiSwitches:
Change each FortiSwitch's management to the new FGT 200F.
Verify configuration and test functionality.
Migrate FortiAPs:
Change each FortiAP's management to the new FGT 200F.
Verify configuration and test functionality.
Monitor: Ensure all devices operate correctly under the new management.
Decommission Old FGT: Consider removing the old FGT 200E once migration is complete.
Document Changes: Keep records and back up configurations.
How do I do this:
"Change each FortiSwitch's management to the new FGT 200F.
Verify configuration and test functionality."
And, can I have both firewalls managing different switches at the same time?  ALso, how do I do this:
"Change each FortiAP's management to the new FGT 200F.
Verify configuration and test functionality."
Hello,
To migrate Forti Switch from old FW to new FW
I would be more concerned about the internet/wan side on the new FGT. To migrate the LAN side step-by-step, both FGTs need to have at least one internet/wan connection. You might be running SD-WAN on the current FGT. But the purpose of those three circuits are the same, I would move at least one of them to the new FGT, so that you can simply copy the wan side config as well as policies toward the internet to the new FGT. The wan interfaces for the circuits left on the current FGT would just stay down.
You don't want to create special path/policies to route the internet traffic from the new FGT back to the current FGT, which need to be removed at the end with some downtime.
Toshi
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2677 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.