Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Yngve0
New Contributor II

Created on ‎12-17-2014 02:39 AM

Migrating Configuration and Policies

Our HQ have a single FG200B which we plan to replace with a 2x HA FG200D. Both is running 5.0.9

 

I have also installed FortiManager (5.0.9) and connected both devices to FMG, and I want to use FMG to migrate / move configuration and Policies between the devices.

 

I have long experience with Fortigate but is a unknown to FMG.

 

But it seems not to be as straight forward as I wished:

1) I cant find any way to migrate the (viritual) Interfaces, Zones and its IP-configuration. Is it correct that this must be configured manually on the new device in advance and that FMG only can migrate the Policies?

2)  Could VPN's and Routings be migrated aswell?

3) Is it best if the configuration is migrated to one standalone instance of FG200D and set up the HA cluster afterward or should the cluster be etablished first?

4) Is it anything here that may be easier if I upgrade all units and FMG to 5.2.x first?

 

Are there any How To which describe the workflow for this operation?

 

 

7281
0 Kudos
5 REPLIES 5
Dave_Hall
Honored Contributor

Created on ‎12-17-2014 05:02 AM

Personally, I'm go with #3.  There's  not much to do in converting a 200B config to 200D config:

[ol]
  • Make sure both units are on the same firmware level codebase
  • Make a backup (unencrypted) copies of both 200B and 200D unit configs
  • copy/paste the first line of the 200D config over the first line in the 200B config
  • Load the edited 200B config into the 200D
  • After 200D reboots, perform a "diagnose debug config-error-log read" at the CLI
  • [strike]Copy your "WAN" port setting to the real WAN1 interface on the 200D[/strike][/ol]

    [strike]Of course, I am assuming the 200D will automatically recreate the WAN port settings if it doesn't find them in the config file.[/strike]

     

    BTW this topic does come up once in a while -- use the search function to check out the other posts.

     

     

    • NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
    2503
    0 Kudos
    Yngve0
    New Contributor II
    In response to Dave_Hall

    Created on ‎12-17-2014 05:26 AM

    Thanks Dave.

     

    I am award of the search & replace in the config-file and done it a couple of times. But I had the impression that FortiManager was able to do this in a more elegant (and supported?) way?

     

    Yngve

    2503
    0 Kudos
    Dave_Hall
    Honored Contributor
    In response to Yngve0

    Created on ‎12-17-2014 07:26 AM

    The FortiManager option would be best and ideal if you already have it set up/configured; I recall someone here on the forums posted some info but didn't into that much detail.   See Sean Toomey's post regarding device/policy objects in FortiManager.

     

    Fortinet has published their own semi-offical (unsupported) guide on how to migrate one config from one unit to another that doesn't use a FortiManger, which is located here or the older KB article here.

     

    The method outlined in the KB article is what some of us have been using for years.

     

    I sorta jumped the gun on my reply above.  If you want to do a "proper" migration, between step 3 and 4 do the following:

     

    3A perform a search/replace of your "WAN" port references to "wan1" (careful not to replace the port under the config system interface section)

    3B edit the config system interface section to include a new WAN1 interface, e.g.

        edit "wan1"         set vdom "root"         set mode dhcp         set allowaccess ping https ssh fgfm         set type physical         set defaultgw enable     next

     

    Save the edited 200B config and try restoring that on the 200D.  Perform a "diagnose debug config-error-log read" on the CLI to check for any config errors.

     

    If you want to go the extra mile, use a text comparison tool like WinMerge to compare the original 200B config against the edited one loaded into the 200D.

     

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
    Preview file
    92 KB
    2503
    0 Kudos
    Yngve0
    New Contributor II
    In response to Dave_Hall

    Created on ‎02-23-2015 09:33 PM

    Thanks 

    I find it strange that Fortigate dont offer any tool for complete configuration migration. If I want to migrate between different brand there are several tolols that will help me. If I stay loyal to Fortinet, I am more or less on my own.

     

    It is also suprising that this is not a function in Fortimanager.

    2503
    0 Kudos
    garyxd
    New Contributor

    Created on ‎02-25-2015 01:11 PM

    FortiConverter supports Fortinet to Fortinet config migration.

     

    I think their is an example of migrating FortiGates in the FortiManager training course documentation

    2503
    0 Kudos
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.