This article explains how to transfer a FortiGate configuration file to a new FortiGate unit of a different model.
Please note, that this guide is out of date and has been replaced by this article:
This new article is also available in german language:
Attention:
Support for the transfer of a configuration file:
Transferring a configuration file from one model to another is not supported by Fortinet nor by Boll, however part of the configuration can be restored manually by copying the required configuration from the old backup configuration file to new configuration file.
The Fortinet Technical Support department does not offer technical assistance in converting FortiGate configuration files from one model to another as, when required, this is the responsibility of the user.
Source: Fortinet KB
- Open the backup configuration file from the previous and different FortiGate Unit.
- Download a backup of a new configuration file from the new unit. This procedure is different depending on which FortiOS version is running on the FortiGate:
- In FortiOS 3.0, 4.0 and 4.1.x, download a factory default configuration file from System > Maintenance > Backup & Restore
- In FortiOS 4.2, 5.0 and 5.2 download a factory default configuration file from System>Dashboard > System Information > System Configuration
- In FortiOS 5.4 download from Dashboard > System Information > System Configuration > Backup or Admin > Backup Configuration.
- In FortiOS 5.6 download from Admin > Configuration > Backup.
- From the factory default configuration file copy the “config-version”, and paste this value and replace in the backup of the previous configuration file.
Make sure that all interface names correspond to the new device. For example, the previous unit may have had a “wan1” interface however the new device has a “port1” interface, it is critical to make sure these correspond.
Save the new configuration file under a new .conf file. This step is mandatory otherwise when reloading the new configuration file the error message “configuration file error” will be displayed on the web based interface.
Only copy the “config-version” section of the first line of the config file from the device being copied. In this way, upon conversion to the new device, the correct “vdom” and “opmode” settings will be applied. - Verify which user admin account was used when saving the configuration file. Reloading a configuration that was saved under a super_admin account to a simple admin account will display the error message “invalid username or password on the web based interface.
- On the new FortiGate unit, go to System > Status, select Restore, and upload the edited config file to the new unit. The unit restarts automatically.
- Test the configuration.
It must be noted that modifying .conf files in this manner will not ensure that all profiles will be saved. This is particularly true if this procedure is used for .conf files being used on a different versions of FortiOS. For example, reloading a .conf file to a FortiGate running FortiOS 4.1 from a .conf file using FortiOS 4.2, any new profiles related to new FortiOS features will be lost.
Hi,
Thank you very much… it made my life easier…
Hi,
thank you. It worked fine.
But there is one thing that I do not get:
“3. From the factory default configuration file copy the “config-version”, and paste this value and replace in the backup of the previous configuration file.”
A little later it says:
“Only copy the “config-version” section of the first line of the config file from the device being copied. In this way, upon conversion to the new device, the correct “vdom” and “opmode” settings will be applied.”
Hmm do they mean “Only overwrite” maybe?
Regards Rufius
Hi,
Just copy the lines with the #. These lines contain the box and firmware information.
#config-version=FG100D-5.00-FW-build208-130603:opmode=0:vdom=0:user=admin
#conf_file_ver=14368422516676065274
#buildno=0208
#global_vdom=1
Thank you !
This saved me ages !!! had to migrate a fortigate with over 200 firewall adresses, multiple VLAN’s interfaces and a lot of policy’s.
Thanks! You just made me winning 2 days of boring configuring my new 90D firewall (coming from a 60C)
I even could put the new firewall in a cluster with a second 90D!
Thanks a lot!
Now it is not accepting my admin login?
It uses the admins and passphrases from the config backup, also the admin ports, login restrictions, IP’s etc.
The default admin on the new box will be overwritten.
Hello
I want to migrate my fortinet 80 c to a fortinet 100 BDL
can i get the configuration of 80 and transfer it in 100
Thank for your answer
Yes, this shouldn’t be a problem.
Just take care that both devices are working with the same firmware version, have a look at the interface names and replace the first comment line from the backup.
Sylvia.
hi
i’ve a little problem with my fortinet 200D.
look …basicly i’ll like to do High Availability.
so firt i backup the config of one of fortinet then i apply it on the second which correctly takes the config.
now my problem is…i cant get through the MGMT port of the fortinet,and i dont get !!!
please how can i make it enable to continue ?
thks
Please check the High Availability guide on http://docs.fortinet.com for further help.
–> Managing individual cluster units using a reserved management interface, page 148 ff.
Hi expert,
I have to migrate the Fortinet 1000A to the high end model 3040B.
Can I backup the current 1000A configs and transfer it in 3040B? Or any better way in doing the migration? The FW contained few thousands of rules and quite number of VLAN interfaces. That will drive me crazy if i need to configure from the scratch.
Thanks in advance.
JQ.
Hi,
It works as written in the article. Take care that you renmae the interfaces correctly and using the same firmware if possible.
Regards,
Michael
Good day.
Yes bad I did not understand you can migrate to another FortiGate long as the same interface names are taken and have the same version of firmware.
Am I right?
If the new FortiGate model has other interface names, just search and replace the existing in the configuration with the new interface names.
Ok. I am moving from FortiGate 100A – Fortigate100D.
Do you think there is a problem?
This is the old FortiGate Firmware Version: 3.00 FortiGate-100A, build0403,061106
This is the new FortiGate Firmware Version: FortiGate-100 v5.0, build0292,140731 (GA Patch 9).
Do you think there is a problem? And if so, what do I have to do to solve it, and spend all the settings you have in the FortiGate 100A to Fortigate 100D?
Yes, this is a big gap in the firmware version. I am pretty sure that the v3.0 config cannot be restored on a v5.0 device without damage.
Both devices support v4.3. So you can upgrade the FG100A to v4.3 (please respect the supported upgrade path) and downgrade the FG100D to v4.3. Then you can move the config from the 100A to the 100D.
Depending on the complexity of the configuration it may be easier to configure the 100D from the scratch…
Hi, good day.
I am migrating the configuration from FGT80C(version 4.00) to FGT100D.
My questions are below:
1. Do I need to downgrade the FGT100D firmware exactly same as FGT80C before migrate the config?
2. Or I can just migrate the config without downgrade the firmware?
Thanks.
Hi Sam,
if both devices do not have the same version it is possible that you will loose parts of the configuration. The bigger the gap between both firmware versions the more config parts will be lost.
I would recommend to have at least the same major version on both devices.
1. You can downgrade the FG100D or upgrade the 80C…
2. Yes, this will be possible. But I am pretty sure that you will loose a lot of configuration by doing this….
Hi sy, noted and thanks a lot for the information.
Awsome working thanks a lot to author.
Hi mp !
I tried migrating FGT 100A to 310B but never worked…..
“diagnose debug config-error-log read” indicated something wrong about “switch interface mode” that is normal because 310B is interface mode by default.
So I removed the line corresponding.
But I never managed to connect through Ethernet… In the console (serial attached) there’s no error message.
I have to precise that the configuration has multiple vdoms interconnected. (And many rules / VPN / users / etc…)
I used “find and replace all” to assign interfaces…
Please help, I don’t want to redo all from scratch.
Many thanks in advance
Hi,
Deleting the command “internal-switch-mode” sets it back to default which is again switch mode. Instead of deleting set it to “internal-switch-mode interface”.
With this setting, you can use every port as a single port. Please take care that the interface names change. Please try first changing ths command on the 310B to see how the interfaces are named, eg. switch –> port1…
Hi,
Thanks for your fast reply.
The fact is that the default conf for 310B has not the “set internal-switch-mode interface”…
Because the 310 has no switch…
I can try setting it, but really not sure that will work…
I’ll let you know.
Thanks again
Hi
Can anybody help me to copy configuration from Fortigate 310b to Fortigate 800C
regards
shahid
Hi Shahid,
When you follow the mentioned steps, it should work as expected.
Do you have any questions regarding one step?
Regards,
Michael
hi
My question is about
_______________________________________________
4. Verify which user admin account was used when saving the configuration file. Reloading a configuration that was saved under a super_admin account to a simple admin account will display the error message “invalid username or password on the web based interface.
_______________________________________________
loading the file I get message invalid username or password in the fortigate create the same users for console and try again but yields the same mistake later edit the user admin bringing the team by default but registered the same mistake I am doing wrong
For example
replace the admin user for the user to create manually is super-admin, and I made a user login but I came out loading Error
# config-version = FG100D-5.00-FW-build208-130603: opmode = 0: vdom = 0: user = soporte_ts
try the default user, enter the fortigate with admin and uploaded the backup failure but also courage and password
# Config-version = FG100D-5.00-FW-build208-130603: opmode = 0: vdom = 0: user = admin
Can you try using an admin user that already exists in the default confguration like the admin?
Can you also try an admin with the default admin profile super_admin or prof_admin?
Hello,
This is a long shot.
I want to move from a FG-60D to a FWF-60D.
As these are two different systems because of the WiFi support, the configuration part of the FWF-60D will be absent in the backup of the FG-60D config.
I take that the restore will just just use whatever is in the backup to build the system.
If so, is there a way to determine and pick the WiFi portion and include it in the backed-up config?
I fear that this is not possible but there is a saying in dutch which translated reads as follows:
“Not shooting is always a miss”.
Thanks for replying.
Hello,
Every model supports the Wireless controller features, also models without internal antennas. That means you can copy the wireless settings into a FortiGate configuration, no problem.
But you need an FortiAP to use wireless and use another profile because the internal radio doesn’t exist anyymore.
Hope that helps.
Michael
Pingback:Manage #Fortigate IOS downgrade isn’t fun ! | À la Thurne
Thank you Michael,
I wound up entering everything from scratch, as the alternative would defeat the purpose of having bought a WFW and needing to acquire an AP to be able to provide wireless access.
Best regards.
I see, thank you. When moving from a FortiGate to a FortiWifi, it’s maybe better to build it up from scratch, you are right.
Michael
Hi,
I have to change model from 200B to 200D.
I have edited the header lines and the interface ports.
First I have mentioned, when I want to use the “wan1” interface I have to set manually to my new ip address, otherwise I have errors.
Second, when I restore the modified config I have major problems with the interface “switch”
After the restore the “switch” has all other ports integrated and I cannot change it.
So I am stuck and I cannot just restore to factory defaults.
Do you have any ideas to solve it ?
wbr
George
Hi,
The 200D has a hardware switch, the 200B not. That’s why you cannot just replace the header lines and restore the configuration.
You need to check the factory default interface configuration from the 200D how the switch is configured and copy it to the backup from the 200B.
This is the only way you can make it work.
Please check and compare the following settings:
config system global
set internal-switch-mode switch–> should be set to interface
config system physical-switch
and
config system virtual-switch
edit “internal”
This is the new hardware switch with the internal port group. Please copy these settings to the backup configuration from the 200B.
Regards,
Michael
Hi MP,
thanks for your support.
I worked now through 10.000 lines and copied section by section.
I just left out the config from my old switch.
Hi,
Great to hear.
Thank you for your feedback.
Regards,
Michael
Hi MP,
I am migrating from 200B to 200D
1) I will copy these 3 lines to the 200B backup config.
#config-version=FG200D-5.02-FW-build718-160328:opmode=0:vdom=0:user=admin
#conf_file_ver=10499526116042514316
#buildno=0718
2) Do I need to copy also these lines?
set internal-switch-mode interface
set switch-controller enable
set virtual-switch-vlan enable
Thanks.
Hi,
The 200D doesn’t use the internal-switch-mode but uses a hardware switch.
Therefor you cannot copy the lines from 2).
I recommend making a backup from the 200D and adapt / add these settings in the 200B configuration manually:
# config sys physical-switch
(physical-switch) # show
config system physical-switch
edit “sw0”
set age-val 0
next
end
# config sys virtual-switch
(virtual-switch) # show
config system virtual-switch
edit “lan”
set physical-switch “sw0”
config port
edit “port1”
next
edit “port2”
next
end
next
end
Best regards,
Michael
Hi. I need to migrate form a fortiwifi 50b Version 4.0 to a fortiwifi 60d 5.x. Is it possible to do so? What should I do?
Hello,
You can try it the same way with diferent versions.
Although it is not supported, most of the settings will be converted.
Hi..
I have Fortigate 310b with fortiOS 4.2 and i want to migrate configuration on fortigate 200E with forti os 5.4
can i migrate the configuration without upgrading or down grading firmware???
if yes then is there any issue ???
Hello,
Unfortunately it is not possible to use a configuration from 4.2 with a 5.4 release because the syntax any many features changed.
You can probably use certain parts of the configuration but a full restore doesn’t work normally. But give it a try.
Regards,
Michael
Want to migrate from Fortigate 110 C to 100 E. Please help on the steps
Unfortunately this is not possible without losing certain configuration parts because the FortiGate 110C runs at most on FortiOS 5.2 or older and FortiGate 100E starts with FortiOS 5.4.
But you can try the same procedure as stated in our article with copying the header lines and change the interface names.
Hi, I want to migrate the configuration of Fortigate 100C to a new Fortigate 100E. Can I backup the files to the system from 100C and connect the new firewall, login and restore the conf files back.
Will i have any issue if so how to solve this.
Hi,
The problem is that the 110C and the 100E do not have the same firmware releases available. The latest release for the 110C is 5.2.x, while the 100E started with 5.4.x.
That means you cannot restore the configuration wihtout any issues. The best way to solve this is to setup the 100E initially and copy and paste config parts from the 110C into the 100E.
Best regards,
Michael
Hi
Can I migrate fortinet 200E to 100f ?
Hello,
When following all the steps, yes.
We also published a new article with even more possibilities: How to transfer a FortiGate configuration to a newer model
Regards,
Michael
Hi,
I’ve tried to migrate from 60D to 61E. When I restore the normal, edited backup, the configuration file was mismatched by restoring on 61E.
Last I’ve saved the “sh fu” output in a fresh conf-file, change the “config-version” and restore this on the 61E via web. This conf accepted by the 61E – but now I can search the RS232-2-USB-Converter to reanimate the box :-/
Any helpfully ideas?
Thx,
BitH…
Hello,
It is probably an issue with interfaces or administrators which are right at the top of the configuration.
If you can login to the console, please check possible config errors with the following command:
diag debug config-error-log read
Best regards
hi
i need help how to migrate 60C v5.0 patch 9 to 61E v6.0.4
Hello Dave,
Unfortunately this it not that easy. For converting a configuration to another model, you should have the same version.
But the 61E does not have a 5.x release and the 60C no 6.x release.
You can still try to follow the steps in our article and check which features have been converted.
Hi,
Is it possible to migrate from 60c to a 50E?
60C running on V5.2.11
50E on running v6.2.1
What steps do I need to take?
Thanks for your reply
Dear Christophe
Thank you for your comment in our blog.
There is quite a big chance that this will not work well. The big problem is the big gap between the FortiOS versions of the appliances and the second is the hardware difference which skips a whole generation.
Therefore our recommendation is: Setup your new system from scratch and rebuild the whole configuration. There is a good chance that you can free yourself from many worries this way.
Good luck with your project.
Kind regards,
The Boll Tech Team
Iam planning to migrate FGT311B Firewall Ver 5.2.13 to FGT 401E Firewall latest 6.0.10 version.
Both device cannot be upgraded to common version to migrate the Firewall configuration.
Considering the interface mapping.
Can we use FGT VM version 5.2.13, restore config from FGT311B and upgrade FGTVM to 6.0.10 and migrate to FGT 401E?
Please reply
Hello
The problem with the FortiGate VM is that the ports are labelled differently and probably the VM has not the same interface count.
Therefor you need to rename the ports first and check if you have enought ports.
But the upgrade can be done on the VM by following the upgrade path, yes.
I need to backup and restore the configuration from 300C to 200F.
Kindly suggest the steps I need to take. Thanks in advance.
Hello,
As the FortiGate 300C only supports version 5.2 and older, the backup and restore procedure is not recommended. I would recommend the FortiConverter service, which we have described here:
How to transfer a FortiGate configuration to a newer model
Kind regards,
BOLL Engineering Tech Team
Hi Sir,
We were given a task to transfer the configuration from 100D -> 100F
Any comments on this? (Similaritites/Differences etc.)
Thank you.
Hello,
You can convert it using the steps we mentioned.
But because these two models use different software versions, please consider using the FortiConverter Service or the FortiConverter.
Please find the details here: How to transfer a FortiGate configuration to a newer model
Best regards,
BOLL Engineering Tech Team
Thank you for your reply Tech Team.
If I am sticking with the original method (manual convert) rather than using the Forti tool as suggested, will it work just fine Sir?
Thank you.
Hello CyberJ
Since Fortinet does not support manual transfer of configurations and there is a supported tool with service that does a much better job, we recommend our customers to use FortiConverter.
Best regards,
BOLL Engineering Tech Team