FG300C to FG300E upgrade

shadowsfx45 · ‎02-20-2018

Hi I am new to FortiGate firewalls.

We are planning to upgrade the existing FW which is FG300C 5.2.2 to FG300E latest fortios. I would like to know if there is any recommendation that i have to consider or some procedure which i can follow for the upgrade.

Thank you

sw2090 · ‎02-22-2018

keep two things in Mind:

[ul]

different FortiGate Models may have different interface names and layout. You may due to this have to change your config before you import it on the new FGT. ALWAYS import a config backup into the same FortiOS version you exported it on. So if you have 5.2.2 on your current FG300C then downgrade the new FG300E to 5.2.2 before importing backup from the FG300C!

Afterwards upgrade to the latest FOLLOWING THE UPGRADE PATH as recommended by FortiNet. You find that in the relase notes for the latest FortiOS. In this Case this will mean you ned to go from 5.2.2 to 5.2.3 to 5.2.5 to 5.2.7 to 5.2.9 to 5.2.10. Then from 5.2.10 to 5.4.4. Unfortunately I don't have the rest here since we don't use v5.6 here.[/ul]

If you do not need to preserve your config you don't need to do this of course. In this case upgrade it to the latest FortOS and then config from scratch :)

hth

Sebastian

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

ede_pfau · ‎02-22-2018

As it turns out the 300E is a brand-new model which is supported by FOS v5.6 only. This is often the case when you keep the hardware for, say, more than 5 years, and buy the latest HW.

But, as so often, there's a light side to this:

if you reconfigure from scratch you will wade out a lot of 'historical' objects, like addresses, services, policies. There even could be more efficient ways to achieve a protection because FOS has evolved over time.

'from scratch' isn't meant literally, you can reuse chunks of the config (like address definitions) by cut&paste between old and new config file. Inserting into the running config will give you instant feedback of syntactical errors; OTOH the amount of 'live pasted' code is limited (finally, you'll run into a timeout).

To faciliate live pasting:

open a second console window (SSH), enter 'diag deb ena', 'diag deb cli 7'. Now, the command line interface will be quite chatty so you can spot the reason for an error more easily.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

ede_pfau · ‎02-22-2018

FG-300C is not supported in FOS v5.6! there is no firmware which supports both models.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

loic · ‎02-23-2018

why don't you use the forticonverter ? :

Can migrate configurations between FortiGate devices to minimize the risk associated with network upgrades. Facilitates migration to new hardware models from legacy FortiGate devices. This feature is enabled with the trial license

Loïc

View solution in original post

sw2090 · ‎02-23-2018

oh yeah great idea loic. Just had forgotten that this exists xD

Will be worth a try maybe. However on my tries I always lost something on conversion (e.g. setup of my interfaces)...

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

Seppel · ‎02-23-2018

Hi,

Unfortunately, you can not update from a 300c to a 500e. usually you can save the config, change the header and read in a new fortigate. in the textfile you can also change the interfaces with search and replace. between 5.2 and 5.6, however, the hash value has changed for the encrypted passwords. Unfortunately, it is now impossible to simply transfer the config. that does not work with the forticonverter, which is more intended to convert configurations from other manufacturers. if you do not want to rewrite the complete config, you can do the detour via a 300d. Take a 300d 5.2 on it, copy 300c config on the 300d and make the update steps to 5.6.3 Maybe your reseller can help you out with a piece of her own

we have done this way from 300c to 500e.

Regards,

andy

Fortigate 500E HA Fortimail 200 Fortimanager

FortiEMS

FortiSandbox 1000D

FortiSwitch Network Some other Models in use :-) ---------------------------------------------------- FCSE ----------------------------------------------------

View solution in original post

sw2090 · ‎02-23-2018

ok than do it as I wrote before copy paste part by part and manually fix the errors.

And reset your passwords because of the hashes (wich also changed from 5.2 to 5.4 as I noticed).

Or as andy wrote get a 300d and do what he wrote.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

sw2090 · ‎02-22-2018

keep two things in Mind:

[ul]

different FortiGate Models may have different interface names and layout. You may due to this have to change your config before you import it on the new FGT. ALWAYS import a config backup into the same FortiOS version you exported it on. So if you have 5.2.2 on your current FG300C then downgrade the new FG300E to 5.2.2 before importing backup from the FG300C!

Afterwards upgrade to the latest FOLLOWING THE UPGRADE PATH as recommended by FortiNet. You find that in the relase notes for the latest FortiOS. In this Case this will mean you ned to go from 5.2.2 to 5.2.3 to 5.2.5 to 5.2.7 to 5.2.9 to 5.2.10. Then from 5.2.10 to 5.4.4. Unfortunately I don't have the rest here since we don't use v5.6 here.[/ul]

If you do not need to preserve your config you don't need to do this of course. In this case upgrade it to the latest FortOS and then config from scratch :)

hth

Sebastian

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

ede_pfau · ‎02-22-2018

As it turns out the 300E is a brand-new model which is supported by FOS v5.6 only. This is often the case when you keep the hardware for, say, more than 5 years, and buy the latest HW.

But, as so often, there's a light side to this:

if you reconfigure from scratch you will wade out a lot of 'historical' objects, like addresses, services, policies. There even could be more efficient ways to achieve a protection because FOS has evolved over time.

'from scratch' isn't meant literally, you can reuse chunks of the config (like address definitions) by cut&paste between old and new config file. Inserting into the running config will give you instant feedback of syntactical errors; OTOH the amount of 'live pasted' code is limited (finally, you'll run into a timeout).

To faciliate live pasting:

open a second console window (SSH), enter 'diag deb ena', 'diag deb cli 7'. Now, the command line interface will be quite chatty so you can spot the reason for an error more easily.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

sw2090 · ‎02-22-2018

Well in this case it's worth a check if you can upgrade the 300C to 5.6. If possible you might do what I said vice versa.

That is first upgrade the 300C to the latest 5.6 accoarding to the upgrade path and then export the config and put it into the 300E with the same 5.6 on it.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

ede_pfau · ‎02-22-2018

FG-300C is not supported in FOS v5.6! there is no firmware which supports both models.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

shadowsfx45 · ‎02-22-2018

Thank you Sebastian and Ede. Much helpful.

I am worried that the FG-300C does not support and 5.6 and FG300E does not support 5.2. So i have to do a manual conversion. I am trying to get a 330D loan unit which i can use to setup in 5.2 and upgrade to 5.6 and copy the config and export in FG300E on 5.6. Is this plausible ?

Thanks

sw2090 · ‎02-22-2018

Probably it will be plausible. However there can be differences in INterface naming and/or Layout or some other things. I came accross options that do exist only on some models even if they run the same firmware version.

So these things may require manual fixation.

If the 30C,330D and the 300E have the same interface naming and layout you have a 98% chance that the export will work out of the box.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

loic · ‎02-23-2018

why don't you use the forticonverter ? :

Can migrate configurations between FortiGate devices to minimize the risk associated with network upgrades. Facilitates migration to new hardware models from legacy FortiGate devices. This feature is enabled with the trial license

Loïc

sw2090 · ‎02-23-2018

oh yeah great idea loic. Just had forgotten that this exists xD

Will be worth a try maybe. However on my tries I always lost something on conversion (e.g. setup of my interfaces)...

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Seppel · ‎02-23-2018

Hi,

Unfortunately, you can not update from a 300c to a 500e. usually you can save the config, change the header and read in a new fortigate. in the textfile you can also change the interfaces with search and replace. between 5.2 and 5.6, however, the hash value has changed for the encrypted passwords. Unfortunately, it is now impossible to simply transfer the config. that does not work with the forticonverter, which is more intended to convert configurations from other manufacturers. if you do not want to rewrite the complete config, you can do the detour via a 300d. Take a 300d 5.2 on it, copy 300c config on the 300d and make the update steps to 5.6.3 Maybe your reseller can help you out with a piece of her own

we have done this way from 300c to 500e.

Regards,

andy

Fortigate 500E HA Fortimail 200 Fortimanager

FortiEMS

FortiSandbox 1000D

FortiSwitch Network Some other Models in use :-) ---------------------------------------------------- FCSE ----------------------------------------------------