In fortigate firewall, commands are pushed down automatically. (at least in GUI)
Q1 Is there a way to "undo" changes you have done?
Q2 Is there a way to see "changes" and then choose to "commit" them like cisco and palo alto?
With regards to syncing HA,
Q3 How do I check using cli why 2 members cannot sync?
Q4 what are the command lines to break down as well as to force 2 members to sync?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey Network_Engineer,
essentially correct; on FortiGate you can scroll over the GUI page again and see what you set, and the changes will be commited if you click 'Okay' or 'Apply', but there is no separate validation step that I'm aware of.
Hi there,
Regarding your first questions, yes there is an option to wait until you 'commit' a transaction, like other vendors.
It's referred to as 'workspace' mode. You need to turn it on first.
execute config-transaction start
Once in workspace mode, the administrator can make configuration changes, all of which are made in a local CLI process that is not viewable by other processes.
execute config-transaction commit
After performing the commit, the changes are available for all other processes, and are also made in the kernel.
execute config-transaction abort
If changes are aborted, no changes are made to the current configuration or the kernel.
See here:
https://docs.fortinet.com/document/fortigate/6.2.0/new-features/688647/workspace-mode
Regards,
In addition to the workspace mode Mark mentioned, this behavior is present in FortiGate CLI by default:
- if you make changes via CLI, the changes are only committed when you exit that particular configuration with 'next' or 'end'
-> while you are still in the particular object you've configured, changes are not live yet
-> you can review the current configuration with 'show' before leaving the object and committing the change
- you can also exit an object with 'abort'; this will discard any changes you made instead of committing them as 'next' or 'end' would
All of this is for CLI though; for GUI the changes are only committed if you click on 'Okay', 'Apply' or similar.
Regarding undoing changes - There is no easy undo button. You can set the FortiGate to generate periodic revisions (if it has a disk, or is managed by FortiManager/FortiCloud) that you can revert to: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-save-and-restore-configuration-chan...
You can also set up a scheduled backup to run every day, and could revert to an older configuration that way, but this would trigger a reboot.
You could also use FortiManager, as that will maintain a history of FortiGate configuration revisions, you can make changes to policies etc and review them before pushing out to FortiGate directly. If you have several FortiGates to look after, this might be a solution to pursue.
Regarding your HA questions:
- KB on how to troubleshoot HA sync issues: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-HA-synchronization-issue-cluster-out...
- KB on investigating checksum mismatch specifically: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshooting-a-checksum-mismatch-in-a-F...
- KB for forcing synchronization: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Procedure-for-HA-manual-synchronization/ta...
I don't think we have any documentation for breaking HA sync; you could break down the HA link by physically disconnecting the units or changing the HA settings that they are a mismatch to each other, but that would likely result in a split-brain scenario (each unit assuming it's the primary).
Understand thank you.
So for GUI, I cannot redo the changes unless i do a restore previous version?
In palo alto, for GUI, I can review my changes and only click "commit" when I am satisifed.
Hey Network_Engineer,
essentially correct; on FortiGate you can scroll over the GUI page again and see what you set, and the changes will be commited if you click 'Okay' or 'Apply', but there is no separate validation step that I'm aware of.
Really wish Fortigate had a "commit confirmed <timeDelay>" feature of some sort. Even on a good day, you can mess something up unintentionally ... would be nice to do the equivalent of "commit confirmed 30", then all make you do a commit after the fact. After that 30 (seconds) is up ... if you don't commit, it discards changes.
FortiManager can do this. If the connection to FMG remains down for a period of time after pushing the config changes, it will revert to last known good config.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.