Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Don_Draper
New Contributor

How to upload configuration to Fortigate from console?

Newbie here who has gotten myself in trouble. We have 2 Fortigate' s, a 200-A (in production) and a 200A-HD (offline) both on MR6 P3. My ultimate goal is to use the extra offline unit to get it upgraded to MR7 P5, test it and swap the units so the other unit can also be upgraded to the same level. Both units have simple configurations with minimal FW policies using VIPs to translate internal to public IPs. As my first step, I saved the configuration on the production unit and loaded it into the offline unit but then could not access the offline unit anymore using Web access. Using the console, I could see that even the name and serial numbers were copied to the new unit so I think perhaps the header values should have been edited first. I was able to use the CLI and hyperterm to change the internal and wan1 IP' s to be different from the production one. However, my problem now is that I cannot access it from either the WAN or the internal side using a browser. My only access is by the console and CLI of which I have used very little. There are no trustedhost settings on the admin login so I am lost as to why I suddenly cannot access the unit from either port? My question - Is there a way to upload a new configuration file using the CLI? Can the USB port used for this? (a FortiUSB was mentioned in the KB but not much else and does not appear to be a standard USB device). Or would it be easier to set it to factory defaults and start over that way? I want to try editing the header values in the config file before loading into the second unit in case that is related to the problem. Is this something that I need to just get support on the phone to help me? :) Any assistance would be appreciated along with any advice on how best to copy the config from one unit to another. They are both currently on the same FW revision. Thanks so much.
Don Draper
Don Draper
4 REPLIES 4
rwpatterson
Valued Contributor III

Since you have time and the unit is not production, I would reset to factory, and try the install again. From the CLI, get the interface addresses set and the gateway. After you get back into the unit, make a backup of the production unit, swap the first three lines with the backup unit' s config file and restore into the backup. Skip the CLI altogether. Also change the IP address(es) in the config file, so you don' t have to pull the plug when it comes back online. Hope that helps...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Don_Draper
New Contributor

Thanks Bob. That really helps and makes sense. Take a look here at this KB article. http://kc.forticare.com/default.asp?SID=&Lang=1&id=3856 It' s just darn amazing what you can learn poking around in the KB. Looks like this January 2009 KB article may be what prevented me from accessing the interfaces. When I export the config from the working (production) unit, it is setting both the admin-server-cert and user-server-cert to " Fortinet_Factory" ! The standby unit configs say " self-sign" . I am going to change these back to self-sign before I import and see if that works. Maybe I can changes these via the CLI and get back in via HTTPS. In my SSLVPN Config Settings, I have the " Self-Signed" option selected and the following options are in my drop-down list. Self-Signed Factory_Fortinet Factory_Firmware Factory_Local Looks like somewhere in the firmware Factory_Fortinet was instead recorded as Fortinet_Factory when saving a config via the web interface. Thanks again!
Don Draper
Don Draper
rwpatterson
Valued Contributor III

You could always enable HTTP on the test box. No cert required....

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Don_Draper
New Contributor

Yep.. will do that too. I was wondering if adding HTTP would circumvent the cert issue entirely and now I know. Looks like a trip back to the data center is in order. I actually have a working Fortigate with IPSec and SSL VPN thanks to help from this board. My skills are programming, not networks so this is more of an accomplishment that it might be for most. I am sure once I get the firmware updated, I will be back with more issues. Thanks!
Don Draper
Don Draper
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors