Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Transfer a FortiGate configuration file to a n...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Transfer a FortiGate configuration file to a new FortiGate unit of a different model
Hi to Everyone,
We have an old Fortigate 200A and bought a new Model 100d. We exported the Config File from the 200A, edit the headers and Importing the .cfg to the 100d. It was necessary the Rename the Interfaces to.
The Problem is now, many of the commands are no longer Supported in IOS 5. The 200A have IOS4.
Downgrad on 100d to not Supported, Upgrad 200A not Supported. :-(
Fortinet says, we can try to Upgrade the 200A, but this is no way for us, the Firewall is in productive.
How we can handle this to export all configs from the 200A to 100d?
Edit all Step by Step for each Rule and etc. be an Headcracking Job....
We have a lot of Policies, Rules and other things in the .cfg.
Did somebody had the same Problem or any Solution for this.
Thanks in Advance
Regards from Germany - Munich
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is no easy way unfortunately.
Aside from manually editing the config which is risky, the only thing I can think of is to use a FortiManager to import the current policy set from the 200A, then using the FMG install onto the 100D.
This would still require you to manually configure the interfaces & other system settings on the 100D, but it would allow an "automated" policy transfer.
We purchased a FMG-VM and in the last 6 months we have performed several hardware upgrades using it; we have done two 1240B -> 1500D HA cluster upgrades without issue (both upgrades were on clusters with 1000+ policies), we've also upgraded our 621B HA Cluster to 1240B's without issues.
Be aware, the unlicensed FortiManager-VM is restricted in the number of devices/vdom's it can handle. If you're using more than two vdom's on your 200A you'll have issues. There may be other restrictions that may stop this from working.
Regards,
Matthew
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While migrating from 4.3 to 5.X is ideal, you can go in reverse one step (then go forward a step or two) by 1) downgrading the 100D to 4.3.18 (aka 4.3 MR3 patch 18), then 2) load the edited 100A config onto this 100D, then 3) upgrade the 100D to firmware 5.x.
Checking the later 4.3.x firmwares, I see the 100D is supported, though there is a CSB (CSB-141117-1) that stipulates 4th Gen 100Ds are only supported on 4.3.18.
I don't have access to a 100D, but I assume the lower 8 ports are (by default) labelled "switch". If the internal ports on the 200A are labelled internal -- you can just rename it to switch (on the edited config) before loading it into the 100D.
On each stage of the firmware upgrade, perform a "diag debug config-error-log read" on the CLI to see if there are any errors in the config.
Edit: I'm assuming of course, the original config on the 200A is set to switch mode (not interface mode).
Edit2: Also assuming the 200A is on/near 4.3.18.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
ok, i will try it out. I hope this works fine for us.
Thanks for Help, i give you an feedback!!
Regards, Nice Sunday
Xris76
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
at last i can tell the migration of the config files now works for us. we bougt a 200a from ebay for 99€.
I downgraded the 100d to os4 and import the config file, edit the interfaces from the old config, edit the header from the config file, upgraded to os5, and it works fine. il test it at the evening in our produktion enviroment. Mails ok, webcontentfilter ok, vpn ok.
the same procedure works with 200a with a config file from 100a, import then to 100d .-)
Regards
Xris76
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks this is good to know.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same here just did and that's what we did exactly, We downgrade to a 4.3.X move the policies, IPS signatures, proof all and then upgraded the units following the suggested upgrade path to 5.0.9. It didn't take but maybe 42mins tops with carefully planning.
It's really not that hard, just make sure you break the config down and do it in section and becareful of any dhcp configuration details.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have several times earlier migrated configuration between models successfully with use of notepad & search/replace on interface names. Just ensured that the firmwarebuild is the same and changed the header to one matching the new unit.
Lately I have tried the same approach twice; First between 200B to 200D and secong between 60C and 60D. Both failed with response: "Bad license" and the configuration is garbage.
Anyone who have the same experience? I have noticed that the buildnumber for firmwareversions on the "D"-models does not match older model, but that should not be a issue?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yngve Øines wrote:Lately I have tried the same approach twice; First between 200B to 200D and secong between 60C and 60D. Both failed with response: "Bad license" and the configuration is garbage.
Anyone who have the same experience? I have noticed that the buildnumber for firmwareversions on the "D"-models does not match older model, but that should not be a issue?
I haven't encountered this error myself. But mind you, I have rebuilt our base 5.0 configs from scratch rather than migrate over from 4.3, then I have used WinMerge to compare differences, making tweaks/adjustments and used "diagnose debug config-error-log read" to make sure there were no errors when I have loaded them. Only real noticeable differences that I could tell is the 200D has WAN ports, hardware switch config def, and a HDD config def.
But if I was tasked to migrating a 200B config over to the 200D (both on same/similar firmware), I would likely take the existing 200B config, rename the designate WAN port (port16 in my case) to WAN1 and use WinMerge to migrate the appropriate settings over to a clean/factory reset 200D config (keeping the 200D headers of course).
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I never seen this, if you go section by section starting with sys admin, sys interface, address/addrgroup, dhcp and last firewall policies. Basically follow the sequence in your cut/paste as how the firewall config looks and you should be able to move the stuff around.
You mind need to find and replace if you have port-name differences ( i.e port1 vrs internal1 ). I've probably have done a near hundred of these firewall migrations and they are all simple. But there's no simple process like 1 2 3 done. Just take you time.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- [Help] SD-WAN with BGP on Loopback... 173 Views
- Fortigate Rugged 60F unable to HA... 69 Views
- Fortigate not showing Deny logs 321 Views
- Traffic Shaping Configuration Issue Affecting ... 58 Views
- Forticlient SAML Authentication timeout 162 Views
Labels
-
FortiGate
8,465 -
FortiClient
1,713 -
5.2
801 -
FortiManager
712 -
5.4
639 -
FortiAnalyzer
547 -
FortiAP
457 -
FortiSwitch
456 -
6.0
416 -
FortiClient EMS
407 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
220 -
FortiWeb
199 -
5.0
196 -
IPsec
186 -
FortiNAC
176 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
44 -
FortiSandbox
43 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1660 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.