Migrate Fortigate Configurations with FortiConverter

Starting with FortiConverter 6.0, any kind of conversion requires a valid license

Fortinet has published a very nice and helpful tool for converting firewall configs from other vendors into a Fortigate configuration file. Also an old Fortigate config file can be used as the source file.

So if you are going to replace an old Fortigate model with a new one and you want use the old config file (instead of configuring the new Fortigate from the scratch) you can use the FortiConverter as an alternative to the procedure we have described in one of our former blog post “How to transfer a FortiGate configuration file to a new FortiGate unit of a different model”.

The FortiConverter requires a license for the full range of functions. With the test version you can test a conversion, but the backup file of the new configuration is not available for download.

The tool runs as an python application on a Windows client. The installation software can be downloaded from your Fortinet support portal (download area). Currently v5.6.1 is the latest FortiConverter version – please make sure that you are installing the “py”-installation file (the one with .py.exe as file extension).

Running the tool is pretty easy. As source files you have to import the old config file and the empty config file of the new Fortigate model. Then you’ll be guided through a few migration steps where you get some information about the migration. For example you will be informed that encrypted passwords are not being migrated but replaced with “123456”. There is just one obstacle – in the third migration step you have to do the “Interface Mapping”:

Here you have to assign the old interface names to the new interface names. This is necessary because different Fortigate models use different interface names. If you skip this step it’s possible that the resulting configuration file is using interface names that do not exist on the new Fortigate model and therefor this configuration does not work as expected.

Once the migration is completed you can download the resulting config file. If you are working with the trial version of FortiConverter you cannot run through any fine tuning steps of the resulting config (renaming firewall objects, syntax checks on object names, etc.), but the basic migration is done anyway. In newer versions of FortiConverter, even the download of the migrated configuration is not possible anymore.

The FortiConverter is a pretty cool tool, which is very helpful when replacing an older Fortigate model with a new one.

A special thanks goes to Nadja for her support in this case!

Addendum: we have to mention that when converting the configs with the FortiConverter still errors can occur. So please check the new configuration before or during import.
For example you can test the new config after the restore with following CLI command: diag debug config-error-log read.
Right after the reboot the output indicates which configuration parts were not understood by Fortigate and were therefore ignored.

6 thoughts on “Migrate Fortigate Configurations with FortiConverter

  1. Markus Windisch Reply

    Hi, I tried the tool, all seems to work, but when I reach the Result Overview there’s no “Download Configurations” Button. I’m using the trial verison, could this be the reason?
    Thanks for the help

    • vla Reply

      Dear Reader
      Thank you for reading and commenting our blog.
      Absolutely. With the trial version, this is a limitation. At the time when the post was published, this was not the case yet.
      I have mentioned in the post.
      Thank you for telling us.
      Kind regards,
      The Boll Engineering Tech team

Leave a Reply

Your email address will not be published. Required fields are marked *