Starting with FortiConverter 6.0, any kind of conversion requires a valid license
Fortinet has published a very nice and helpful tool for converting firewall configs from other vendors into a Fortigate configuration file. Also an old Fortigate config file can be used as the source file.
So if you are going to replace an old Fortigate model with a new one and you want use the old config file (instead of configuring the new Fortigate from the scratch) you can use the FortiConverter as an alternative to the procedure we have described in one of our former blog post «How to transfer a FortiGate configuration file to a new FortiGate unit of a different model».
The FortiConverter requires a license for the full range of functions. With the test version you can test a conversion, but the backup file of the new configuration is not available for download.
The tool runs as an python application on a Windows client. The installation software can be downloaded from your Fortinet support portal (download area). Currently v5.6.1 is the latest FortiConverter version – please make sure that you are installing the «py»-installation file (the one with .py.exe as file extension).
Running the tool is pretty easy. As source files you have to import the old config file and the empty config file of the new Fortigate model. Then you’ll be guided through a few migration steps where you get some information about the migration. For example you will be informed that encrypted passwords are not being migrated but replaced with «123456». There is just one obstacle – in the third migration step you have to do the «Interface Mapping»:
Here you have to assign the old interface names to the new interface names. This is necessary because different Fortigate models use different interface names. If you skip this step it’s possible that the resulting configuration file is using interface names that do not exist on the new Fortigate model and therefor this configuration does not work as expected.
Once the migration is completed you can download the resulting config file. If you are working with the trial version of FortiConverter you cannot run through any fine tuning steps of the resulting config (renaming firewall objects, syntax checks on object names, etc.), but the basic migration is done anyway. In newer versions of FortiConverter, even the download of the migrated configuration is not possible anymore.
The FortiConverter is a pretty cool tool, which is very helpful when replacing an older Fortigate model with a new one.
A special thanks goes to Nadja for her support in this case!
Addendum: we have to mention that when converting the configs with the FortiConverter still errors can occur. So please check the new configuration before or during import.
For example you can test the new config after the restore with following CLI command:
diag debug config-error-log read.
Right after the reboot the output indicates which configuration parts were not understood by Fortigate and were therefore ignored.