How to transfer a FortiGate configuration to a newer model

During the lifecycle of firewalls, they are often replaced with a newer model, but you would like to keep the configuration. In this case, there are several possibilities, which we present in this blog post:

1. FortiConverter Service
2. FortiConverter Tool
3. Partial Config Transfer
4. Full Config Transfer

Den deutschen Artikel dazu finden Sie hier: So übertragen Sie eine FortiGate Konfiguration auf ein neueres Modell

1. FortiConverter Service

The FortiConverter service is a one-time, licensed service for converting a third-party or older FortiOS configuration to the latest FortiOS for a new FortiGate unit.

The FortiConverter Service is already included in the Enterprise or 360 Protection Bundles. If a FortiGate has the FortiConverter Service licensed, you can see it in the license overview on the corresponding firewall in the Support Portal. If the license is not included, it must be purchased on the new FortiGate that replaces the old unit.

The conversion is done via the FortiConverter portal, which can be reached via the following link: https://service.forticonverter.com/

In the FortiConverter portal, select the FortiGate for conversion and create a service ticket on this FortiGate.

Then you load the configuration of the old firewall into the ticket, configure the “Physical Interface Mapping”, i.e. which interface of the new FortiGate fits to the interface of the old FortiGate and complete the conversion.

The conversion is now performed by the service team. Once the conversion is complete, the new configuration can be downloaded from the ticket.

Summary

Good and supported service for conversions across different models and FortiGate OS if you don’t want to spend time with the conversion. It’s a paid swervice but already included with the Enterprise and 360 Protection Bundle. Otherwise, the service can be purchased at a very low price.

Documentation: https://docs.fortinet.com/product/forticonverter-service

2. FortiConverter Tool

Besides the service, you can also install the FortiConverter tool yourself and perform conversions.
The FortiConverter requires a license for the full range of functions. With the test version you can test a conversion, but the backup file of the new configuration is not available for download.

The tool runs as a Python application on a Windows client. You can download the installation software from your Fortinet support portal in the download area.

After installation, the user interface can be accessed via a WebUI and a configuration can be selected as well as the target system. After successful conversion, the configuration is available for download as a backup.

Summary

Easy way to convert files to new versions with local software installation. Limited scope without license. The license is only worthwhile after a certain number of conversions.

Blog: Migrate Fortigate Configurations with FortiConverter
Documentation: https://docs.fortinet.com/product/forticonverter

3. Partial Config Transfer

If it does not work with the FortiConverter to convert the configuration or if this is not desired, you can also convert only parts of the configuration manually. We recommend this procedure to avoid converting old configurations across releases

For example, address lists, firewall rules or routing entries can be transferred. Just copy parts of the configuration and paste them into the new configuration via CLI. This can also be done during operation without rebooting. Changes in the naming can be made in advance with “Search and Replace”.

config firewall address
    --> Copy from here
    edit "LAN-Work-Subnet"
        set associated-interface "LAN-Work"
        set subnet 192.168.2.0 255.255.255.255
    next
    edit "DC02-LAN-Work"
        set associated-interface "LAN-Work"
        set subnet 192.168.2.12 255.255.255.255
    next
    <-- Paste to here in the new configuration
end

Summary

This allows the configuration to be recreated on the new device, but certain objects can still be adopted and work saved. It can also be avoided that old, no longer used configuration parts are taken over in the new config.

It is important that the syntax for the new configuration must be correct. It is best to create the same object in the new configuration and then compare via CLI whether the syntax has changed.

4. Full Config Transfer

With the last variant, the complete content of an old configuration is prepared for the new FortiGate. We recommend this “quick and dirty” variant only if the other three variants are not available.

This procedure usually only works if both devices have the same firmware version. Otherwise, parts of the configuration cannot be adopted. Also with the interfaces and their architecture (hardware switch, software switches, LAG) an exact control and adjustment with the new FortiGate model is necessary in advance.

Procedure: Save a backup of the new FortiGate unit.
Open this backup with a text editor and copy the lines with a #:

# config-version=FGVM64-6.4.5-FW-build1828-210217:opmode=0:vdom=0:user=admin
# conf_file_ver=16381207134220940
# buildno=1828
# global_vdom=1

Copy these lines into the existing config file and replace the lines from the original configuration.

Now you need to adjust the inferface names with “Find and Replace” if they have changed on the new FortiGate. For example, the previous unit may have had a “wan1” interface, but the new unit has a “port1” interface.

Save the configuration file. Then go to the WebUI of the new FortiGate unit and perform a restore of the configuration. This will restart the FortiGate unit with the configuration of the old FortiGate unit.

Use the following command to check whether all configuration parts have been transferred correctly:

diag debug config-error-log read

Summary

Free variant to transfer a configuration completely to a new device. Only works properly if the same firmware is used on both devices. It is important that the configuration is checked for any missing configuration parts at the end.

KnowledgeBase Article: https://kb.fortinet.com/kb/documentLink.do?externalID=FD30056

Leave a Reply

Your email address will not be published. Required fields are marked *