- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Transfer a FortiGate configuration file to a new F...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Transfer a FortiGate configuration file to a new FortiGate unit of a different model
Hi to Everyone,
We have an old Fortigate 200A and bought a new Model 100d. We exported the Config File from the 200A, edit the headers and Importing the .cfg to the 100d. It was necessary the Rename the Interfaces to.
The Problem is now, many of the commands are no longer Supported in IOS 5. The 200A have IOS4.
Downgrad on 100d to not Supported, Upgrad 200A not Supported. :-(
Fortinet says, we can try to Upgrade the 200A, but this is no way for us, the Firewall is in productive.
How we can handle this to export all configs from the 200A to 100d?
Edit all Step by Step for each Rule and etc. be an Headcracking Job....
We have a lot of Policies, Rules and other things in the .cfg.
Did somebody had the same Problem or any Solution for this.
Thanks in Advance
Regards from Germany - Munich
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is no easy way unfortunately.
Aside from manually editing the config which is risky, the only thing I can think of is to use a FortiManager to import the current policy set from the 200A, then using the FMG install onto the 100D.
This would still require you to manually configure the interfaces & other system settings on the 100D, but it would allow an "automated" policy transfer.
We purchased a FMG-VM and in the last 6 months we have performed several hardware upgrades using it; we have done two 1240B -> 1500D HA cluster upgrades without issue (both upgrades were on clusters with 1000+ policies), we've also upgraded our 621B HA Cluster to 1240B's without issues.
Be aware, the unlicensed FortiManager-VM is restricted in the number of devices/vdom's it can handle. If you're using more than two vdom's on your 200A you'll have issues. There may be other restrictions that may stop this from working.
Regards,
Matthew
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While migrating from 4.3 to 5.X is ideal, you can go in reverse one step (then go forward a step or two) by 1) downgrading the 100D to 4.3.18 (aka 4.3 MR3 patch 18), then 2) load the edited 100A config onto this 100D, then 3) upgrade the 100D to firmware 5.x.
Checking the later 4.3.x firmwares, I see the 100D is supported, though there is a CSB (CSB-141117-1) that stipulates 4th Gen 100Ds are only supported on 4.3.18.
I don't have access to a 100D, but I assume the lower 8 ports are (by default) labelled "switch". If the internal ports on the 200A are labelled internal -- you can just rename it to switch (on the edited config) before loading it into the 100D.
On each stage of the firmware upgrade, perform a "diag debug config-error-log read" on the CLI to see if there are any errors in the config.
Edit: I'm assuming of course, the original config on the 200A is set to switch mode (not interface mode).
Edit2: Also assuming the 200A is on/near 4.3.18.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
ok, i will try it out. I hope this works fine for us.
Thanks for Help, i give you an feedback!!
Regards, Nice Sunday
Xris76
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
at last i can tell the migration of the config files now works for us. we bougt a 200a from ebay for 99€.
I downgraded the 100d to os4 and import the config file, edit the interfaces from the old config, edit the header from the config file, upgraded to os5, and it works fine. il test it at the evening in our produktion enviroment. Mails ok, webcontentfilter ok, vpn ok.
the same procedure works with 200a with a config file from 100a, import then to 100d .-)
Regards
Xris76
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks this is good to know.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same here just did and that's what we did exactly, We downgrade to a 4.3.X move the policies, IPS signatures, proof all and then upgraded the units following the suggested upgrade path to 5.0.9. It didn't take but maybe 42mins tops with carefully planning.
It's really not that hard, just make sure you break the config down and do it in section and becareful of any dhcp configuration details.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have several times earlier migrated configuration between models successfully with use of notepad & search/replace on interface names. Just ensured that the firmwarebuild is the same and changed the header to one matching the new unit.
Lately I have tried the same approach twice; First between 200B to 200D and secong between 60C and 60D. Both failed with response: "Bad license" and the configuration is garbage.
Anyone who have the same experience? I have noticed that the buildnumber for firmwareversions on the "D"-models does not match older model, but that should not be a issue?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yngve Øines wrote:Lately I have tried the same approach twice; First between 200B to 200D and secong between 60C and 60D. Both failed with response: "Bad license" and the configuration is garbage.
Anyone who have the same experience? I have noticed that the buildnumber for firmwareversions on the "D"-models does not match older model, but that should not be a issue?
I haven't encountered this error myself. But mind you, I have rebuilt our base 5.0 configs from scratch rather than migrate over from 4.3, then I have used WinMerge to compare differences, making tweaks/adjustments and used "diagnose debug config-error-log read" to make sure there were no errors when I have loaded them. Only real noticeable differences that I could tell is the 200D has WAN ports, hardware switch config def, and a HDD config def.
But if I was tasked to migrating a 200B config over to the 200D (both on same/similar firmware), I would likely take the existing 200B config, rename the designate WAN port (port16 in my case) to WAN1 and use WinMerge to migrate the appropriate settings over to a clean/factory reset 200D config (keeping the 200D headers of course).
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I never seen this, if you go section by section starting with sys admin, sys interface, address/addrgroup, dhcp and last firewall policies. Basically follow the sequence in your cut/paste as how the firewall config looks and you should be able to move the stuff around.
You mind need to find and replace if you have port-name differences ( i.e port1 vrs internal1 ). I've probably have done a near hundred of these firewall migrations and they are all simple. But there's no simple process like 1 2 3 done. Just take you time.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- IPSEC VPN stopped working under Windows... 33 Views
- Replacement of Forti Access point 34 Views
- Fortitoken doesn't work if the user... 118 Views
- Office 365 FortiSIEM 50 Views
- Can VDOM in VM be security... 70 Views
Labels
-
FortiGate
6,783 -
FortiClient
1,347 -
5.2
801 -
5.4
639 -
FortiManager
582 -
FortiAnalyzer
427 -
6.0
416 -
5.6
362 -
FortiAP
349 -
FortiSwitch
348 -
FortiClient EMS
275 -
FortiMail
266 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
163 -
6.4
128 -
FortiNAC
113 -
FortiGuard
108 -
FortiSIEM
92 -
IPsec
89 -
FortiGateCloud
88 -
FortiCloud Products
85 -
FortiToken
74 -
SSL-VPN
71 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
42 -
Fortivoice
41 -
SD-WAN
35 -
FortiExtender
34 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
FortiAuthenticator
24 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
DNS
15 -
FortiMonitor
14 -
BGP
14 -
LDAP
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Authentication
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
SSO
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.