config validator for upgrades

Agent_1994 · ‎05-23-2017

Hello Forum!

Recently we upgraded a customer's Fortigate from 5.2.7 from 5.6.0, following the upgrade path. There was no problem except for a few address objects (wildcard fqdns) that, apparently, 5.2.x accepted and 5.6.x didn't. Because of this, some policies were not migrated.

Anyway, it isn't really the subject of this post... ¿Is there a kind of "config validator" to test these upgrades? Something that would say "Yo, this address object wont work on 5.6.0"

T.I.A,

FatalHalt · ‎05-23-2017

I'm not sure about a validator that you can run before the ugprade, but you can certainly run the command 'di de config-error-log read' after the upgrade and it should show you anything that didn't convert correctly.

You'll want to run that command between each step of an upgrade process.

Agent_1994 · ‎05-23-2017

Thanks, that will help a lot.

Toshi_Esumi · ‎05-23-2017

Wildcard FQDN wouldn't work as an address object, like source/destination addresses in a policy because it can't be translated to IP addresses. To me it was a sort of bug the previous versions which accepted this type.

emnoc · ‎05-23-2017

Also be sure to read configuration compatibility and known issues b4 any upgrades.

Recently we upgraded a customer's Fortigate from 5.2.7 from 5.6.0,

Since you said 5.2.x to 5.6.x the migration required you to go to at least v5.4.3 . As precaution I like to read the rls notes in the between versions of the origin and target versions.

Ken

PCNSE

NSE

StrongSwan

config validator for upgrades

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website