Configuration export/import to the different device

JukkaH · ‎09-10-2014

Is it possible to export configuration from one Fortigate device and import it to another? Obviously it is not possible if interfaces and hardware are totally different but how about transferring from 60B to 60D? Is it possible? Or is there any tools that could be helpful to do this kind of migration? I did find this from docs site but it is not looking that offical... [link=] http://docs.fortinet.com/d/fortigate-transferring-a-configuration-file-from-one-model-to-another. [/link]

emnoc · ‎09-10-2014

The short answer is YES but with some work & effort by on your part. Take your 2 examples; a 60B and 60D. Are they 100% the same. Nope but they are similar. hardware counts, ports, asic, types,OS version, could all be different to a little degree. Can you migrate a cfg from one to another ? Yes I' ve done it hundred of times between similar and non similar items. And even a 50B to a 100D, they are can be done but requires some work effort. What you should do imho; 1: download the cfg and review it via VI/Word 2: download the virgin cfg on the new device, repeat look at the difference 3: items like address groups/addrs/vip, user-accounts, should a 1n1 for swap 4: fwpolicies, dhcp-server, interfaces cfg, might need some review/editing/audit MS word/textpad Find/Replace comes in handy or the same in VI/VIM for us unix guys. Look at ALL aspect of the cfg, since this is a migration, you can pull the revelent parts of the 60B cfg, make changes, upload it to the 60D and look for errors. God slow and pay attention to all details. If you get in a bind, you can easily fallback to the 60B. IN my new & current life, that ' s one of the things I do, is cfg swapping between fortigate and non-Fortigate devices.

PCNSE

NSE

StrongSwan

jorge9090 · ‎09-10-2014

I' ve never tried this, what happens if i load a cfg in a Fortigate with editing errors? the fortigate rejects the config?

rwpatterson · ‎09-10-2014

Yes. Also if the versions of firmware are the same, it makes it easier once again. Minor firmware differences should be OK as well. Major version differences, I would do what Emnoc recommended.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

emnoc · ‎09-10-2014

Yeah if you load the cfg file and the cmd or objects is not available, it would create a lot of errors. I would pull the addresss/group objects first from the command0line show firewall addres show firewall addrgr Police it and making any changes if you bound to any inerfaces and if the naming convention is different for the interface ( i.e port1 vrs interface1 ) next, I would pull the firewall policies; show firewall policy Again, policy the policy-id or usee find/replace if you need to change something like a interface name/type Now yuo have like 80% of the stuff ready to be added to the new FGT. You repeat the same for config sys interface and admin accoutnt. Once again you will have to do some work and put a little bit of effort. Don' t forget any vpn or dhcp server statements. It should take you maybe < 1hour on a SOHO firewall to lift and walk new cfgs to a new unit and to change turtle shells per-se. Like I said, I' ve done this a hundred times at least. just go slow and do it in sections like described above ( global cfg, interface, address/groups/vip and last policies ) If you follow the tree of an typical configuration, the dependent item is always done 1st. e.g don' t try to build fwpolicies that have address groups but you haven' t installed the group or apply a dhcp-server when you don' t have the interfaces configured or install vpn-interfaces where you don' t have the interfaces defined Just go slow and easy

PCNSE

NSE

StrongSwan

JukkaH · ‎09-14-2014

emnoc, thanks for the answer! :) It is relieve to hear that some has done this ' hundred of times' . Just a hard work, will do that!

mark9885 · ‎06-26-2017

I've used bash scripts to automate much of this and substituting the text so that horrible interface names cam be fixed in the process:

linuxbox ~/bin $ cat ch text=`echo $* | sed 's/config *//'` echo "

################################################################################################### ################################################################################################### ###################################################################################################

" cat ~/chfw/chfw_raw | awk "/^config .*${text}/,/^end/" |\ sed ' s/MGMT-EXT/external_dmz/ s/.*deep-inspection-options "default"// s/dmzmgt/mgmt_ISP/ s/Ext SIP/external_sip/ s/ASA-INSIDE/inside_asa/ s/ASA-OUTSIDE/outside_asa/ s/Outside/outside_dmz/ s/Inside/inside_dmz/ s/MGMT-OOB2/DMZ_mgt/ ' |\ awk '/config nntp/,/end/ { sub (//,"#") } ; { print }' |\ egrep -v "set type aggregate|set allowaccess|set snmp-index|set vdom"

Then just run through the sections required to pipe over the config to the new device:

linuxbox ~/bin $ cat chfw_config ch config firewall schedule onetime ch config firewall schedule recurring ch config antivirus profile ch config application list ch config firewall shaper traffic-shaper ch config ips sensor ch config firewall ippool ch config firewall vip ch config firewall address ch config firewall addrgrp ch config firewall service custom ch config firewall service group ch config firewall policy ch config firewall DoS-policy

Just tweak the terminal speed so that you can paste the lot in and look for "fail" messages so you can maybe add sections of config required to make your config work.

After each attempt load a blank policy on via FortiManager to (nearly) blank the unit ready for the next attempt.

Enjoy!