Recover FortiGate config onto new model

Recover FortiGate config onto new model

^{Created: 2021-01-27 22:32:49 | Last modified: 2021-01-28 01:44:25}
^{Access: Read}^{| Views: 177}^{| Rating: N/A}^{| Tags: fortigate}
Instructions of how to recover a config from a FortiGate to a new model

When installing new models of a FortiGate, rather than configuring the device from scratch, it may be easier to move the config from one device to the other. Applying a config between completely different models could be chalanging, to do this you may need to just replace one piece of the config at a time. But in this example we are upgrading our FortiGate 100D cluster with 100Fs, so are very similar between versions of this firewall.

To start, we upgraded our 100D (older cluster) to the same version of firmware as the new cluster to make the config as compatible as possible.

Process

1) Upgrade old cluster to the same firmware version as the new

2) Backup the config on the old cluster and modify just the top line so the model number is the same as the new cluster. We have VDOMs enabled, so In our example;

Old Cluster

#config-version=FG100D-6.2.7-FW-build1190-201216:opmode=0:vdom=1:user=admin

New Cluster (obtained by running a show inside the CLI (or backup of config))

#config-version=FG100F-6.2.7-FW-build1190-201216:opmode=1:vdom=0:user=admin

Result for new cluster - top line

#config-version=FG100F-6.2.7-FW-build1190-201216:opmode=0:vdom=1:user=admin

3) Copy the new config to a USB drive root directory and insert into the FortiGate and run the following command to replace the config (fw1a_20210127_2318_v6.2.7-working.conf is the filename of the config)

execute restore config usb fw1a_20210127_2318_v6.2.7-working.conf

4) As you can see there are some errors, review and resolve the errors using the following command

diagnose debug config-error-log read

As you can see from the screenshot below, the @number represents the line number inside the config. For example as per below, "set" "wanoptgrp" "read-write" @41 translates to Line 41 and the part of the config is set wanoptgrp read-write

In this example, I removed;

# This accprofile rule is not available in the config
config system accprofile
  set wanoptgrp read-write

# Remove system storage and configure manually later on
config system storage
    edit "Internal"
        set status enable
        set media-status enable
        set order 1
        set partition "LOGUSEDX1BE81523"
        set device "/dev/sda1"
        set size 30049
        set usage log
	next
end

# This rule and everything underneath the config block
config wanopt content-deliver-network-rule

# These rules are not required
config wanopt settings
    set host-id "default-id"
end
config wanopt profile
    edit "default"
        set comments "Default WANopt profile."
    next
end

# System Reports
config system settings
  set gui-local-reports enable
end

# Remove the config report layout, we will set these up later on (not there are 3 of these)
config report layout
...
end

5) Reapply the configuration. This can be done as many times are required until the configuration is clean.

execute restore config usb fw1a_20210127_2318_v6.2.7-working-fix.conf