Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Network_Engineer
New Contributor III

Is There a Commit Command

In fortigate firewall, commands are pushed down automatically. (at least in GUI)

 

Q1 Is there a way to "undo" changes you have done?

Q2 Is there a way to see "changes" and then choose to "commit" them like cisco and palo alto?

 

With regards to syncing HA,

Q3 How do I check using cli why 2 members cannot sync?

Q4 what are the command lines to break down as well as to force 2 members to sync?

1 Solution
Debbie_FTNT

Hey Network_Engineer,

essentially correct; on FortiGate you can scroll over the GUI page again and see what you set, and the changes will be commited if you click 'Okay' or 'Apply', but there is no separate validation step that I'm aware of.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

6 REPLIES 6
mribbans_FTNT

Hi there,

 

Regarding your first questions, yes there is an option to wait until you 'commit' a transaction, like other vendors.

 

It's referred to as 'workspace' mode. You need to turn it on first.

 

To use workspace mode:
  1. Start workspace mode:

    execute config-transaction start

    Once in workspace mode, the administrator can make configuration changes, all of which are made in a local CLI process that is not viewable by other processes.

  2. Commit configuration changes:

    execute config-transaction commit

    After performing the commit, the changes are available for all other processes, and are also made in the kernel.

  3. Abort configuration changes:

    execute config-transaction abort

    If changes are aborted, no changes are made to the current configuration or the kernel.

 

See here:

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/688647/workspace-mode

 

Regards,

 

Mark Ribbans
Debbie_FTNT
Staff
Staff

In addition to the workspace mode Mark mentioned, this behavior is present in FortiGate CLI by default:
- if you make changes via CLI, the changes are only committed when you exit that particular configuration with 'next' or 'end'

-> while you are still in the particular object you've configured, changes are not live yet

-> you can review the current configuration with 'show' before leaving the object and committing the change

- you can also exit an object with 'abort'; this will discard any changes you made instead of committing them as 'next' or 'end' would

 

All of this is for CLI though; for GUI the changes are only committed if you click on 'Okay', 'Apply' or similar.

 

Regarding undoing changes - There is no easy undo button. You can set the FortiGate to generate periodic revisions (if it has a disk, or is managed by FortiManager/FortiCloud) that you can revert to: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-save-and-restore-configuration-chan...
You can also set up a scheduled backup to run every day, and could revert to an older configuration that way, but this would trigger a reboot.

 

You could also use FortiManager, as that will maintain a history of FortiGate configuration revisions, you can make changes to policies etc and review them before pushing out to FortiGate directly. If you have several FortiGates to look after, this might be a solution to pursue.

 

Regarding your HA questions:
- KB on how to troubleshoot HA sync issues: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-HA-synchronization-issue-cluster-out...
- KB on investigating checksum mismatch specifically: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshooting-a-checksum-mismatch-in-a-F...

- KB for forcing synchronization: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Procedure-for-HA-manual-synchronization/ta...

I don't think we have any documentation for breaking HA sync; you could break down the HA link by physically disconnecting the units or changing the HA settings that they are a mismatch to each other, but that would likely result in a split-brain scenario (each unit assuming it's the primary).

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Network_Engineer

Understand thank you.

So for GUI, I cannot redo the changes unless i do a restore previous version?

In palo alto, for GUI, I can review my changes and only click "commit" when I am satisifed. 

Debbie_FTNT

Hey Network_Engineer,

essentially correct; on FortiGate you can scroll over the GUI page again and see what you set, and the changes will be commited if you click 'Okay' or 'Apply', but there is no separate validation step that I'm aware of.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
BobTheBuilder1942

Really wish Fortigate had a "commit confirmed <timeDelay>" feature of some sort.  Even on a good day, you can mess something up unintentionally ... would be nice to do the equivalent of "commit confirmed 30", then all make you do a commit after the fact.  After that 30 (seconds) is up ... if you don't commit, it discards changes.

gfleming

FortiManager can do this. If the connection to FMG remains down for a period of time after pushing the config changes, it will revert to last known good config.

Cheers,
Graham