How to transfer a FortiGate configuration file to a new FortiGate unit of a different model

This article explains how to transfer a FortiGate configuration file to a new FortiGate unit of a different model.
Source: Fortinet KB
1.  Open the backup configuration file from the previous and different FortiGate Unit.
2.  Download a backup of a new configuration file from the new unit. This procedure is different depending on which FortiOS version is running on the FortiGate:
In FortiOS 3.0, 4.0, 4.1.x, download a factory default configuration file from  System>Maintenance>Backup&Restore
In FortiOS 4.2 download a factory default configuration file from System>Dashboard>System Information>System Configuration
3.  From the factory default configuration file copy the „config-version“, and paste this value and replace in the backup of the previous configuration file.
Make sure that all interface names correspond to the new device.  For example, the previous unit may have had a „wan1“ interface however the new device has a „port1“ interface, it is critical to make sure these correspond.
Save the new configuration file under a new .conf file. This step is mandatory otherwise when reloading the new configuration file the error message „configuration file error“ will be displayed on the web based interface.
Only copy the „config-version“ section of the first line of the config file from the device being copied. In this way, upon conversion to the new device, the correct „vdom“ and „opmode“ settings will be applied.
4.  Verify which user admin account was used when saving the configuration file. Reloading a configuration that was saved under a super_admin account to a simple admin account will display the error message „invalid username or password on the web based interface.
5.  On the new FortiGate unit, go to System > Status, select Restore, and upload the edited config file to the new unit.  The unit restarts automatically.
6.  Test the configuration.
It must be noted that modifying .conf files in this manner will not ensure that all profiles will be saved. This is particularly true if this procedure is used for .conf files being used on a different versions of FortiOS. For example, reloading a .conf file to a FortiGate running FortiOS 4.1 from a .conf file using FortiOS 4.2, any new profiles related to new FortiOS features will be lost.

43 Responses to “How to transfer a FortiGate configuration file to a new FortiGate unit of a different model”


  • Ebenezer Manuel

    Hi,

    Thank you very much… it made my life easier…

  • Hi,

    thank you. It worked fine.

    But there is one thing that I do not get:
    „3. From the factory default configuration file copy the “config-version”, and paste this value and replace in the backup of the previous configuration file.“

    A little later it says:

    „Only copy the “config-version” section of the first line of the config file from the device being copied. In this way, upon conversion to the new device, the correct “vdom” and “opmode” settings will be applied.“

    Hmm do they mean „Only overwrite“ maybe?

    Regards Rufius

  • Hi,

    Just copy the lines with the #. These lines contain the box and firmware information.

    #config-version=FG100D-5.00-FW-build208-130603:opmode=0:vdom=0:user=admin
    #conf_file_ver=14368422516676065274
    #buildno=0208
    #global_vdom=1

  • Thank you !
    This saved me ages !!! had to migrate a fortigate with over 200 firewall adresses, multiple VLAN’s interfaces and a lot of policy’s.

  • Thanks! You just made me winning 2 days of boring configuring my new 90D firewall (coming from a 60C)
    I even could put the new firewall in a cluster with a second 90D!
    Thanks a lot!

  • Now it is not accepting my admin login?

  • It uses the admins and passphrases from the config backup, also the admin ports, login restrictions, IP’s etc.
    The default admin on the new box will be overwritten.

  • Hello
    I want to migrate my fortinet 80 c to a fortinet 100 BDL
    can i get the configuration of 80 and transfer it in 100
    Thank for your answer

  • Yes, this shouldn’t be a problem.
    Just take care that both devices are working with the same firmware version, have a look at the interface names and replace the first comment line from the backup.

    Sylvia.

  • hi

    i’ve a little problem with my fortinet 200D.
    look …basicly i’ll like to do High Availability.
    so firt i backup the config of one of fortinet then i apply it on the second which correctly takes the config.

    now my problem is…i cant get through the MGMT port of the fortinet,and i dont get !!!

    please how can i make it enable to continue ?

    thks

  • Please check the High Availability guide on http://docs.fortinet.com for further help.
    –> Managing individual cluster units using a reserved management interface, page 148 ff.

  • Hi expert,
    I have to migrate the Fortinet 1000A to the high end model 3040B.
    Can I backup the current 1000A configs and transfer it in 3040B? Or any better way in doing the migration? The FW contained few thousands of rules and quite number of VLAN interfaces. That will drive me crazy if i need to configure from the scratch.

    Thanks in advance.
    JQ.

  • Hi,
    It works as written in the article. Take care that you renmae the interfaces correctly and using the same firmware if possible.
    Regards,
    Michael

  • Good day.
    Yes bad I did not understand you can migrate to another FortiGate long as the same interface names are taken and have the same version of firmware.
    Am I right?

  • If the new FortiGate model has other interface names, just search and replace the existing in the configuration with the new interface names.

  • Ok. I am moving from FortiGate 100A – Fortigate100D.
    Do you think there is a problem?

  • This is the old FortiGate Firmware Version: 3.00 FortiGate-100A, build0403,061106

    This is the new FortiGate Firmware Version: FortiGate-100 v5.0, build0292,140731 (GA Patch 9).

    Do you think there is a problem? And if so, what do I have to do to solve it, and spend all the settings you have in the FortiGate 100A to Fortigate 100D?

  • Yes, this is a big gap in the firmware version. I am pretty sure that the v3.0 config cannot be restored on a v5.0 device without damage.
    Both devices support v4.3. So you can upgrade the FG100A to v4.3 (please respect the supported upgrade path) and downgrade the FG100D to v4.3. Then you can move the config from the 100A to the 100D.
    Depending on the complexity of the configuration it may be easier to configure the 100D from the scratch…

  • Hi, good day.

    I am migrating the configuration from FGT80C(version 4.00) to FGT100D.

    My questions are below:
    1. Do I need to downgrade the FGT100D firmware exactly same as FGT80C before migrate the config?
    2. Or I can just migrate the config without downgrade the firmware?

    Thanks.

  • Hi Sam,

    if both devices do not have the same version it is possible that you will loose parts of the configuration. The bigger the gap between both firmware versions the more config parts will be lost.

    I would recommend to have at least the same major version on both devices.

    1. You can downgrade the FG100D or upgrade the 80C…
    2. Yes, this will be possible. But I am pretty sure that you will loose a lot of configuration by doing this….

  • Hi sy, noted and thanks a lot for the information.

  • Awsome working thanks a lot to author.

  • Hi mp !

    I tried migrating FGT 100A to 310B but never worked…..

    „diagnose debug config-error-log read“ indicated something wrong about „switch interface mode“ that is normal because 310B is interface mode by default.
    So I removed the line corresponding.

    But I never managed to connect through Ethernet… In the console (serial attached) there’s no error message.

    I have to precise that the configuration has multiple vdoms interconnected. (And many rules / VPN / users / etc…)

    I used „find and replace all“ to assign interfaces…

    Please help, I don’t want to redo all from scratch.

    Many thanks in advance

  • Hi,
    Deleting the command „internal-switch-mode“ sets it back to default which is again switch mode. Instead of deleting set it to „internal-switch-mode interface“.
    With this setting, you can use every port as a single port. Please take care that the interface names change. Please try first changing ths command on the 310B to see how the interfaces are named, eg. switch –> port1…

  • Hi,

    Thanks for your fast reply.

    The fact is that the default conf for 310B has not the „set internal-switch-mode interface“…
    Because the 310 has no switch…

    I can try setting it, but really not sure that will work…

    I’ll let you know.

    Thanks again

  • Hi

    Can anybody help me to copy configuration from Fortigate 310b to Fortigate 800C

    regards

    shahid

  • Hi Shahid,

    When you follow the mentioned steps, it should work as expected.
    Do you have any questions regarding one step?

    Regards,
    Michael

  • hi

    My question is about

    _______________________________________________
    4. Verify which user admin account was used when saving the configuration file. Reloading a configuration that was saved under a super_admin account to a simple admin account will display the error message “invalid username or password on the web based interface.
    _______________________________________________

    loading the file I get message invalid username or password in the fortigate create the same users for console and try again but yields the same mistake later edit the user admin bringing the team by default but registered the same mistake I am doing wrong

    For example

    replace the admin user for the user to create manually is super-admin, and I made a user login but I came out loading Error

    # config-version = FG100D-5.00-FW-build208-130603: opmode = 0: vdom = 0: user = soporte_ts

    try the default user, enter the fortigate with admin and uploaded the backup failure but also courage and password

    # Config-version = FG100D-5.00-FW-build208-130603: opmode = 0: vdom = 0: user = admin

  • Can you try using an admin user that already exists in the default confguration like the admin?
    Can you also try an admin with the default admin profile super_admin or prof_admin?

  • Hello,

    This is a long shot.
    I want to move from a FG-60D to a FWF-60D.
    As these are two different systems because of the WiFi support, the configuration part of the FWF-60D will be absent in the backup of the FG-60D config.
    I take that the restore will just just use whatever is in the backup to build the system.
    If so, is there a way to determine and pick the WiFi portion and include it in the backed-up config?
    I fear that this is not possible but there is a saying in dutch which translated reads as follows:
    „Not shooting is always a miss“.
    Thanks for replying.

  • Hello,
    Every model supports the Wireless controller features, also models without internal antennas. That means you can copy the wireless settings into a FortiGate configuration, no problem.
    But you need an FortiAP to use wireless and use another profile because the internal radio doesn’t exist anyymore.

    Hope that helps.
    Michael

  • Thank you Michael,

    I wound up entering everything from scratch, as the alternative would defeat the purpose of having bought a WFW and needing to acquire an AP to be able to provide wireless access.
    Best regards.

  • I see, thank you. When moving from a FortiGate to a FortiWifi, it’s maybe better to build it up from scratch, you are right.
    Michael

  • Hi,
    I have to change model from 200B to 200D.
    I have edited the header lines and the interface ports.

    First I have mentioned, when I want to use the „wan1“ interface I have to set manually to my new ip address, otherwise I have errors.

    Second, when I restore the modified config I have major problems with the interface „switch“
    After the restore the „switch“ has all other ports integrated and I cannot change it.
    So I am stuck and I cannot just restore to factory defaults.

    Do you have any ideas to solve it ?

    wbr
    George

  • Hi,

    The 200D has a hardware switch, the 200B not. That’s why you cannot just replace the header lines and restore the configuration.
    You need to check the factory default interface configuration from the 200D how the switch is configured and copy it to the backup from the 200B.
    This is the only way you can make it work.

    Please check and compare the following settings:

    config system global
    set internal-switch-mode switch–> should be set to interface

    config system physical-switch
    and
    config system virtual-switch
    edit „internal“
    This is the new hardware switch with the internal port group. Please copy these settings to the backup configuration from the 200B.

    Regards,
    Michael

  • Hi MP,
    thanks for your support.
    I worked now through 10.000 lines and copied section by section.
    I just left out the config from my old switch.

  • Hi,

    Great to hear.
    Thank you for your feedback.

    Regards,
    Michael

  • Hi MP,

    I am migrating from 200B to 200D

    1) I will copy these 3 lines to the 200B backup config.
    #config-version=FG200D-5.02-FW-build718-160328:opmode=0:vdom=0:user=admin
    #conf_file_ver=10499526116042514316
    #buildno=0718

    2) Do I need to copy also these lines?
    set internal-switch-mode interface
    set switch-controller enable
    set virtual-switch-vlan enable

    Thanks.

  • Hi,
    The 200D doesn’t use the internal-switch-mode but uses a hardware switch.
    Therefor you cannot copy the lines from 2).

    I recommend making a backup from the 200D and adapt / add these settings in the 200B configuration manually:

    # config sys physical-switch

    (physical-switch) # show
    config system physical-switch
    edit „sw0“
    set age-val 0
    next
    end

    # config sys virtual-switch

    (virtual-switch) # show
    config system virtual-switch
    edit „lan“
    set physical-switch „sw0“
    config port
    edit „port1“
    next
    edit „port2“
    next
    end
    next
    end

    Best regards,
    Michael

  • Hi. I need to migrate form a fortiwifi 50b Version 4.0 to a fortiwifi 60d 5.x. Is it possible to do so? What should I do?

  • Hello,
    You can try it the same way with diferent versions.
    Although it is not supported, most of the settings will be converted.

  • Hi..

    I have Fortigate 310b with fortiOS 4.2 and i want to migrate configuration on fortigate 200E with forti os 5.4

    can i migrate the configuration without upgrading or down grading firmware???
    if yes then is there any issue ???

  • Hello,

    Unfortunately it is not possible to use a configuration from 4.2 with a 5.4 release because the syntax any many features changed.
    You can probably use certain parts of the configuration but a full restore doesn’t work normally. But give it a try.

    Regards,
    Michael

Leave a Reply