How to transfer a FortiGate configuration file to a new FortiGate unit of a different model

This article explains how to transfer a FortiGate configuration file to a new FortiGate unit of a different model.

Attention:
Support for the transfer of a configuration file:
Transferring a configuration file from one model to another is not supported by Fortinet nor by Boll, however part of the configuration can be restored manually by copying the required configuration from the old backup configuration file to new configuration file.
The Fortinet Technical Support department does not offer technical assistance in converting FortiGate configuration files from one model to another as, when required, this is the responsibility of the user.

Source: Fortinet KB

  1. Open the backup configuration file from the previous and different FortiGate Unit.
  2. Download a backup of a new configuration file from the new unit. This procedure is different depending on which FortiOS version is running on the FortiGate:
    • In FortiOS 3.0, 4.0 and 4.1.x, download a factory default configuration file from System > Maintenance > Backup & Restore
    • In FortiOS 4.2, 5.0 and 5.2 download a factory default configuration file from System>Dashboard > System Information > System Configuration
    • In FortiOS 5.4 download from Dashboard > System Information > System Configuration > Backup or Admin > Backup Configuration.
    • In FortiOS 5.6 download from Admin > Configuration > Backup.
  3. From the factory default configuration file copy the “config-version”, and paste this value and replace in the backup of the previous configuration file.
    Make sure that all interface names correspond to the new device. For example, the previous unit may have had a “wan1” interface however the new device has a “port1” interface, it is critical to make sure these correspond.
    Save the new configuration file under a new .conf file. This step is mandatory otherwise when reloading the new configuration file the error message “configuration file error” will be displayed on the web based interface.
    Only copy the “config-version” section of the first line of the config file from the device being copied. In this way, upon conversion to the new device, the correct “vdom” and “opmode” settings will be applied.
  4. Verify which user admin account was used when saving the configuration file. Reloading a configuration that was saved under a super_admin account to a simple admin account will display the error message “invalid username or password on the web based interface.
  5. On the new FortiGate unit, go to System > Status, select Restore, and upload the edited config file to the new unit. The unit restarts automatically.
  6. Test the configuration.

It must be noted that modifying .conf files in this manner will not ensure that all profiles will be saved. This is particularly true if this procedure is used for .conf files being used on a different versions of FortiOS. For example, reloading a .conf file to a FortiGate running FortiOS 4.1 from a .conf file using FortiOS 4.2, any new profiles related to new FortiOS features will be lost.

Loading

64 thoughts on “How to transfer a FortiGate configuration file to a new FortiGate unit of a different model

  1. Ebenezer Manuel Reply

    Hi,

    Thank you very much… it made my life easier…

  2. Rufius Reply

    Hi,

    thank you. It worked fine.

    But there is one thing that I do not get:
    “3. From the factory default configuration file copy the “config-version”, and paste this value and replace in the backup of the previous configuration file.”

    A little later it says:

    “Only copy the “config-version” section of the first line of the config file from the device being copied. In this way, upon conversion to the new device, the correct “vdom” and “opmode” settings will be applied.”

    Hmm do they mean “Only overwrite” maybe?

    Regards Rufius

    • mp Post authorReply

      Hi,

      Just copy the lines with the #. These lines contain the box and firmware information.

      #config-version=FG100D-5.00-FW-build208-130603:opmode=0:vdom=0:user=admin
      #conf_file_ver=14368422516676065274
      #buildno=0208
      #global_vdom=1

  3. Steven Reply

    Thanks! You just made me winning 2 days of boring configuring my new 90D firewall (coming from a 60C)
    I even could put the new firewall in a cluster with a second 90D!
    Thanks a lot!

    • mp Post authorReply

      It uses the admins and passphrases from the config backup, also the admin ports, login restrictions, IP’s etc.
      The default admin on the new box will be overwritten.

  4. Bib Reply

    Hello
    I want to migrate my fortinet 80 c to a fortinet 100 BDL
    can i get the configuration of 80 and transfer it in 100
    Thank for your answer

    • sy Reply

      Yes, this shouldn’t be a problem.
      Just take care that both devices are working with the same firmware version, have a look at the interface names and replace the first comment line from the backup.

      Sylvia.

  5. Ximo Reply

    hi

    i’ve a little problem with my fortinet 200D.
    look …basicly i’ll like to do High Availability.
    so firt i backup the config of one of fortinet then i apply it on the second which correctly takes the config.

    now my problem is…i cant get through the MGMT port of the fortinet,and i dont get !!!

    please how can i make it enable to continue ?

    thks

  6. JQ Reply

    Hi expert,
    I have to migrate the Fortinet 1000A to the high end model 3040B.
    Can I backup the current 1000A configs and transfer it in 3040B? Or any better way in doing the migration? The FW contained few thousands of rules and quite number of VLAN interfaces. That will drive me crazy if i need to configure from the scratch.

    Thanks in advance.
    JQ.

    • mp Post authorReply

      Hi,
      It works as written in the article. Take care that you renmae the interfaces correctly and using the same firmware if possible.
      Regards,
      Michael

  7. Isai Pineda Reply

    Good day.
    Yes bad I did not understand you can migrate to another FortiGate long as the same interface names are taken and have the same version of firmware.
    Am I right?

    • mp Post authorReply

      If the new FortiGate model has other interface names, just search and replace the existing in the configuration with the new interface names.

  8. Isai Pineda Reply

    Ok. I am moving from FortiGate 100A – Fortigate100D.
    Do you think there is a problem?

  9. Isai Pineda Reply

    This is the old FortiGate Firmware Version: 3.00 FortiGate-100A, build0403,061106

    This is the new FortiGate Firmware Version: FortiGate-100 v5.0, build0292,140731 (GA Patch 9).

    Do you think there is a problem? And if so, what do I have to do to solve it, and spend all the settings you have in the FortiGate 100A to Fortigate 100D?

  10. sy Reply

    Yes, this is a big gap in the firmware version. I am pretty sure that the v3.0 config cannot be restored on a v5.0 device without damage.
    Both devices support v4.3. So you can upgrade the FG100A to v4.3 (please respect the supported upgrade path) and downgrade the FG100D to v4.3. Then you can move the config from the 100A to the 100D.
    Depending on the complexity of the configuration it may be easier to configure the 100D from the scratch…

  11. Sam Reply

    Hi, good day.

    I am migrating the configuration from FGT80C(version 4.00) to FGT100D.

    My questions are below:
    1. Do I need to downgrade the FGT100D firmware exactly same as FGT80C before migrate the config?
    2. Or I can just migrate the config without downgrade the firmware?

    Thanks.

  12. sy Reply

    Hi Sam,

    if both devices do not have the same version it is possible that you will loose parts of the configuration. The bigger the gap between both firmware versions the more config parts will be lost.

    I would recommend to have at least the same major version on both devices.

    1. You can downgrade the FG100D or upgrade the 80C…
    2. Yes, this will be possible. But I am pretty sure that you will loose a lot of configuration by doing this….

  13. FXP Reply

    Hi mp !

    I tried migrating FGT 100A to 310B but never worked…..

    “diagnose debug config-error-log read” indicated something wrong about “switch interface mode” that is normal because 310B is interface mode by default.
    So I removed the line corresponding.

    But I never managed to connect through Ethernet… In the console (serial attached) there’s no error message.

    I have to precise that the configuration has multiple vdoms interconnected. (And many rules / VPN / users / etc…)

    I used “find and replace all” to assign interfaces…

    Please help, I don’t want to redo all from scratch.

    Many thanks in advance

    • mp Post authorReply

      Hi,
      Deleting the command “internal-switch-mode” sets it back to default which is again switch mode. Instead of deleting set it to “internal-switch-mode interface”.
      With this setting, you can use every port as a single port. Please take care that the interface names change. Please try first changing ths command on the 310B to see how the interfaces are named, eg. switch –> port1…

  14. FXP Reply

    Hi,

    Thanks for your fast reply.

    The fact is that the default conf for 310B has not the “set internal-switch-mode interface”…
    Because the 310 has no switch…

    I can try setting it, but really not sure that will work…

    I’ll let you know.

    Thanks again

  15. Shahid Reply

    Hi

    Can anybody help me to copy configuration from Fortigate 310b to Fortigate 800C

    regards

    shahid

    • mp Post authorReply

      Hi Shahid,

      When you follow the mentioned steps, it should work as expected.
      Do you have any questions regarding one step?

      Regards,
      Michael

  16. Danilo Reply

    hi

    My question is about

    _______________________________________________
    4. Verify which user admin account was used when saving the configuration file. Reloading a configuration that was saved under a super_admin account to a simple admin account will display the error message “invalid username or password on the web based interface.
    _______________________________________________

    loading the file I get message invalid username or password in the fortigate create the same users for console and try again but yields the same mistake later edit the user admin bringing the team by default but registered the same mistake I am doing wrong

    For example

    replace the admin user for the user to create manually is super-admin, and I made a user login but I came out loading Error

    # config-version = FG100D-5.00-FW-build208-130603: opmode = 0: vdom = 0: user = soporte_ts

    try the default user, enter the fortigate with admin and uploaded the backup failure but also courage and password

    # Config-version = FG100D-5.00-FW-build208-130603: opmode = 0: vdom = 0: user = admin

    • mp Post authorReply

      Can you try using an admin user that already exists in the default confguration like the admin?
      Can you also try an admin with the default admin profile super_admin or prof_admin?

  17. Alecio Reply

    Hello,

    This is a long shot.
    I want to move from a FG-60D to a FWF-60D.
    As these are two different systems because of the WiFi support, the configuration part of the FWF-60D will be absent in the backup of the FG-60D config.
    I take that the restore will just just use whatever is in the backup to build the system.
    If so, is there a way to determine and pick the WiFi portion and include it in the backed-up config?
    I fear that this is not possible but there is a saying in dutch which translated reads as follows:
    “Not shooting is always a miss”.
    Thanks for replying.

    • mp Post authorReply

      Hello,
      Every model supports the Wireless controller features, also models without internal antennas. That means you can copy the wireless settings into a FortiGate configuration, no problem.
      But you need an FortiAP to use wireless and use another profile because the internal radio doesn’t exist anyymore.

      Hope that helps.
      Michael

  18. Pingback:Manage #Fortigate IOS downgrade isn’t fun ! | À la Thurne

  19. Alecio Reply

    Thank you Michael,

    I wound up entering everything from scratch, as the alternative would defeat the purpose of having bought a WFW and needing to acquire an AP to be able to provide wireless access.
    Best regards.

    • mp Post authorReply

      I see, thank you. When moving from a FortiGate to a FortiWifi, it’s maybe better to build it up from scratch, you are right.
      Michael

  20. George Reply

    Hi,
    I have to change model from 200B to 200D.
    I have edited the header lines and the interface ports.

    First I have mentioned, when I want to use the “wan1” interface I have to set manually to my new ip address, otherwise I have errors.

    Second, when I restore the modified config I have major problems with the interface “switch”
    After the restore the “switch” has all other ports integrated and I cannot change it.
    So I am stuck and I cannot just restore to factory defaults.

    Do you have any ideas to solve it ?

    wbr
    George

    • mp Post authorReply

      Hi,

      The 200D has a hardware switch, the 200B not. That’s why you cannot just replace the header lines and restore the configuration.
      You need to check the factory default interface configuration from the 200D how the switch is configured and copy it to the backup from the 200B.
      This is the only way you can make it work.

      Please check and compare the following settings:

      config system global
      set internal-switch-mode switch–> should be set to interface

      config system physical-switch
      and
      config system virtual-switch
      edit “internal”
      This is the new hardware switch with the internal port group. Please copy these settings to the backup configuration from the 200B.

      Regards,
      Michael

  21. George Reply

    Hi MP,
    thanks for your support.
    I worked now through 10.000 lines and copied section by section.
    I just left out the config from my old switch.

    • mp Post authorReply

      Hi,

      Great to hear.
      Thank you for your feedback.

      Regards,
      Michael

  22. Jing Reply

    Hi MP,

    I am migrating from 200B to 200D

    1) I will copy these 3 lines to the 200B backup config.
    #config-version=FG200D-5.02-FW-build718-160328:opmode=0:vdom=0:user=admin
    #conf_file_ver=10499526116042514316
    #buildno=0718

    2) Do I need to copy also these lines?
    set internal-switch-mode interface
    set switch-controller enable
    set virtual-switch-vlan enable

    Thanks.

    • mp Post authorReply

      Hi,
      The 200D doesn’t use the internal-switch-mode but uses a hardware switch.
      Therefor you cannot copy the lines from 2).

      I recommend making a backup from the 200D and adapt / add these settings in the 200B configuration manually:

      # config sys physical-switch

      (physical-switch) # show
      config system physical-switch
      edit “sw0”
      set age-val 0
      next
      end

      # config sys virtual-switch

      (virtual-switch) # show
      config system virtual-switch
      edit “lan”
      set physical-switch “sw0”
      config port
      edit “port1”
      next
      edit “port2”
      next
      end
      next
      end

      Best regards,
      Michael

  23. Juancho2015 Reply

    Hi. I need to migrate form a fortiwifi 50b Version 4.0 to a fortiwifi 60d 5.x. Is it possible to do so? What should I do?

    • mp Post authorReply

      Hello,
      You can try it the same way with diferent versions.
      Although it is not supported, most of the settings will be converted.

  24. mack Reply

    Hi..

    I have Fortigate 310b with fortiOS 4.2 and i want to migrate configuration on fortigate 200E with forti os 5.4

    can i migrate the configuration without upgrading or down grading firmware???
    if yes then is there any issue ???

    • mp Post authorReply

      Hello,

      Unfortunately it is not possible to use a configuration from 4.2 with a 5.4 release because the syntax any many features changed.
      You can probably use certain parts of the configuration but a full restore doesn’t work normally. But give it a try.

      Regards,
      Michael

  25. sapl Reply

    Want to migrate from Fortigate 110 C to 100 E. Please help on the steps

    • mp Post authorReply

      Unfortunately this is not possible without losing certain configuration parts because the FortiGate 110C runs at most on FortiOS 5.2 or older and FortiGate 100E starts with FortiOS 5.4.
      But you can try the same procedure as stated in our article with copying the header lines and change the interface names.

  26. Adhil Reply

    Hi, I want to migrate the configuration of Fortigate 100C to a new Fortigate 100E. Can I backup the files to the system from 100C and connect the new firewall, login and restore the conf files back.
    Will i have any issue if so how to solve this.

    • mp Post authorReply

      Hi,
      The problem is that the 110C and the 100E do not have the same firmware releases available. The latest release for the 110C is 5.2.x, while the 100E started with 5.4.x.
      That means you cannot restore the configuration wihtout any issues. The best way to solve this is to setup the 100E initially and copy and paste config parts from the 110C into the 100E.

      Best regards,
      Michael

  27. BitH Reply

    Hi,

    I’ve tried to migrate from 60D to 61E. When I restore the normal, edited backup, the configuration file was mismatched by restoring on 61E.

    Last I’ve saved the “sh fu” output in a fresh conf-file, change the “config-version” and restore this on the 61E via web. This conf accepted by the 61E – but now I can search the RS232-2-USB-Converter to reanimate the box :-/

    Any helpfully ideas?

    Thx,
    BitH…

    • mp Post authorReply

      Hello,

      It is probably an issue with interfaces or administrators which are right at the top of the configuration.
      If you can login to the console, please check possible config errors with the following command:
      diag debug config-error-log read

      Best regards

    • mp Post authorReply

      Hello Dave,

      Unfortunately this it not that easy. For converting a configuration to another model, you should have the same version.
      But the 61E does not have a 5.x release and the 60C no 6.x release.
      You can still try to follow the steps in our article and check which features have been converted.

  28. Christophe Reply

    Hi,

    Is it possible to migrate from 60c to a 50E?
    60C running on V5.2.11
    50E on running v6.2.1

    What steps do I need to take?

    Thanks for your reply

    • vla Reply

      Dear Christophe

      Thank you for your comment in our blog.

      There is quite a big chance that this will not work well. The big problem is the big gap between the FortiOS versions of the appliances and the second is the hardware difference which skips a whole generation.
      Therefore our recommendation is: Setup your new system from scratch and rebuild the whole configuration. There is a good chance that you can free yourself from many worries this way.

      Good luck with your project.

      Kind regards,
      The Boll Tech Team

  29. shrinivas swami Reply

    Iam planning to migrate FGT311B Firewall Ver 5.2.13 to FGT 401E Firewall latest 6.0.10 version.
    Both device cannot be upgraded to common version to migrate the Firewall configuration.

    Considering the interface mapping.
    Can we use FGT VM version 5.2.13, restore config from FGT311B and upgrade FGTVM to 6.0.10 and migrate to FGT 401E?

    Please reply

    • mp Post authorReply

      Hello
      The problem with the FortiGate VM is that the ports are labelled differently and probably the VM has not the same interface count.
      Therefor you need to rename the ports first and check if you have enought ports.
      But the upgrade can be done on the VM by following the upgrade path, yes.

  30. HP Reply

    I need to backup and restore the configuration from 300C to 200F.

    Kindly suggest the steps I need to take. Thanks in advance.

  31. CyberJ Reply

    Hi Sir,

    We were given a task to transfer the configuration from 100D -> 100F

    Any comments on this? (Similaritites/Differences etc.)

    Thank you.

      • CyberJ Reply

        Thank you for your reply Tech Team.

        If I am sticking with the original method (manual convert) rather than using the Forti tool as suggested, will it work just fine Sir?

        Thank you.

        • vla Reply

          Hello CyberJ
          Since Fortinet does not support manual transfer of configurations and there is a supported tool with service that does a much better job, we recommend our customers to use FortiConverter.
          Best regards,
          BOLL Engineering Tech Team

Leave a Reply to shrinivas swami Cancel reply

Your email address will not be published. Required fields are marked *