Problems converting 100D to 60E (5.2 versus 5.6)

meieltsPTX · ‎06-20-2017

Hello,

Hopefully someone can help me out here. We're experiencing troubles with a 100D firewall. The power went off and the firewall didn't boot anymore. So we rushed to get a new one, the only model available was a Fortigate 60E but the supplier guaranteed us we could migrate the config 1:1. Guess what; didn't work. Lots and lots of errors.

Now we're facing a couple problems;

1. The 60e has other (less) interfaces 2. The firmware on this 60e is 5.6 and the 100D was 5.2 3. We can't login to download software because we're in the in the middle of a company take-over (accounts are nowhere to find) 4. Lots of errors coming if we try to insert the config.

I think i got it almost working as it should. We've spent hours to modify the 5.2 config to fit in 5.6 but still i'm receiving some errors, VPN's won't show and policies won't show. But interfaces are made with correct IP addresses, VPN's are visible in the "network>interfaces" but not at IPSec VPNtunnels page.

Some of the error output i've got;

>>> "set" "gui-ips" "enable" @ 20:global.system.global:command parse error (error -61) >>> "set" "gui-vulnerability-scan" "enable" @ 21:global.system.global:command parse error (error -61) >>> "set" "internal-switch-mode" "interface" @ 23:global.system.global:command parse error (error -61) >>> "set" "virtual-switch-vlan" "enable" @ 28:global.system.global:command parse error (error -61) >>> "set" "wanoptgrp" "read-write" @ 43:global.system.accprofile.prof_admin:command parse error (error -61) >>> "next" @ 96:global.system.interface.mgmt:failed command (error 1) >>> "next" @ 100:global.system.interface.ha1:failed command (error 1) >>> "next" @ 104:global.system.interface.ha2:failed command (error 1) >>> "set" "type" "aggregate" @ 139:global.system.interface.channel-LAN:failed command (error -160) >>> "set" "member" "internal1" "internal2" @ 140:global.system.interface.channel-LAN:command parse error (error -61) >>> "next" @ 142:global.system.interface.channel-LAN:failed command (error 1) >>> "set" "type" "aggregate" @ 145:global.system.interface.channel-WAN:failed command (error -160) >>> "set" "member" "internal3" "internal4" @ 146:global.system.interface.channel-WAN:command parse error (error -61) >>> "next" @ 148:global.system.interface.channel-WAN:failed command (error 1)

This is it, partially. But i think we'll solve alot by solving the first errors like these ones; (there are way more errors but i think these are the most importatnt to fix right now)

>>> "set" "gui-ips" "enable" @ 20:global.system.global:command parse error (error -61) >>> "set" "gui-vulnerability-scan" "enable" @ 21:global.system.global:command parse error (error -61) >>> "set" "internal-switch-mode" "interface" @ 23:global.system.global:command parse error (error -61) >>> "set" "virtual-switch-vlan" "enable" @ 28:global.system.global:command parse error (error -61) >>> "set" "wanoptgrp" "read-write" @ 43:global.system.accprofile.prof_admin:command parse error (error -61)

I've been looking for the "set virtual-switch-vlan enable", i found that it is removed after (or within) fortiOS 5.4 but i can't find any equivalent for it. Also "internal-switch-mode interface" isn't working. The 5.6 CLI just doesnt have the option. Also here i can't find an equivalent.

We also tried the Forti Converter to convert 5.2 config in 5.4 (max version in the converter), it helped quite alot with the VDOM configuration, there's 1 extra VDOM besides root.

Could anyone help me out with these errors? At this moment the 100D is (luckily) back but very very instable, i can't even login the webinterface, i am able to connect to it with SSH but if I do a show full-configuration, i only get 1 block of configuration and then its black. See image;

I can enter or hit spacebar as much as i like but there's only black. It really hangs right now and we're afraid it will die any second. Seems like one of the disks is broken.

What would you recommend me to do? Downgrade the 60E to 5.2? And if so, where to get the firmware without an account, we don't have one at the moment as stated above. Or is anyone able to help me with these errors? There are alot more but i think alot will disappear when i fixed the upper section because the errors are linked with eachother.

Thanks in advance for any response. If you need more info just ask, i'll try my best to get it.

I'm not very familiar with the FortiOS CLI, i'm used to ASA but i'll find my way :p

Thanks again.

jpp · ‎06-21-2017

Hi meieltsPTX,

I'm afraid I have bad news. According to this document you cannot configure aggregate interfaces in entry level models (below 100) and I see that you have it in the 100D config. Same for the vlan switch.This is true for previous OS versions also (at least 5.2 and 5.4 that I know)

So probably you'll need change of topology to migrate to 60E ...

Itguy · ‎06-28-2017

jpp wrote:
Hi meieltsPTX,
I'm afraid I have bad news. According to this document you cannot configure aggregate interfaces in entry level models (below 100) and I see that you have it in the 100D config. Same for the vlan switch.This is true for previous OS versions also (at least 5.2 and 5.4 that I know)
So probably you'll need change of topology to migrate to 60E ...

This is correct. Your entire topography has to be altered to make this work. We've had to rebuild from scratch when there is this significant of a downgrade.

Also, why move to the 60E when you have a 100D? Also, I don't recommend 5.6 FW, stick with the more matured 5.4 series.

Problems converting 100D to 60E (5.2 versus 5.6)

Nominate a Forum Post for Knowledge Article Creation