Technical Tip : How to load/convert a FortiGate configuration
file from one unit to another (file conversion for a different model).
file from one unit to another (file conversion for a different model).
This article explains how to transfer a FortiGate configuration file to a new
FortiGate unit of a different model.
1. Open the backup configuration file from the previous and different FortiGate Unit.2. Download a backup of a new configuration file from the new unit. This procedure is
different depending on which FortiOS version is running on the FortiGate:In FortiOS 3.0, 4.0, 4.1.x, download a factory default configuration file from
System>Maintenance>Backup&RestoreIn FortiOS 4.2 download a factory default configuration file from
System>Dashboard>System Information>System Configuration3. From the factory default configuration file copy the "config-version", and paste this value
and replace in the backup of the previous configuration file.Make sure that all interface names correspond to the new device. For example, the previous
unit may have had a "wan1" interface however the new device has a "port1" interface, it is
critical to make sure these correspond.Save the new configuration file under a new .conf file. This step is mandatory otherwise when
reloading the new configuration file the error message "configuration file error" will be displayed
on the web based interface.Only copy the "config-version" section of the first line of the config file from the device being
copied. In this way, upon conversion to the new device, the correct "vdom" and "opmode"
settings will be applied.4. Verify which user admin account was used when saving the configuration file. Reloading a
configuration that was saved under a super_admin account to a simple admin account will
display the error message "invalid username or password on the web based interface.5. On the new FortiGate unit, go to System > Status, select Restore, and upload the edited
config file to the new unit. The unit restarts automatically.6. Test the configuration.It must be noted that modifying .conf files in this manner will not ensure that all profiles will be
saved. This is particularly true if this procedure is used for .conf files being used on a different
versions of FortiOS. For example, reloading a .conf file to a FortiGate running FortiOS 4.1
from a .conf file using FortiOS 4.2, any new profiles related to new FortiOS features will be lost.
以下是Ivan的測試結果:
文章說可以從FortiOS4.2備出的Conf檔,回復至4.1的設備上面,但我沒有測試到,4.2的檔能不能放到5.0上,理論上應該是不行的。
我測試過,同版本,不同Model的Fortigate,Conf檔需要用上述方法去解決。
案例: 5.0 build0292,我故意將兩個Fortigate都上成同一版本OS,一隻是Fortigate60C,一個是FortiWifi60D,任務是將60C的Conf檔,轉到60D身上。
一開始,把60C的Conf備份出來,直接套到60D身上Restore,結果出現Configuration File Error。 用文章提及方法,將60D的Conf備份出來(不一定是Factory Default),然後以文字編輯軟件打開,把裡面第一行 #config-version=FW........ 整行拷貝出來,貼到60C的Conf裡相同位置。
再將這個修改過的60C Conf檔,restore到60D中,結果就成功了。
要注意的是,文章也有提及過,如果Interface的名稱不一樣,就會出現大問題,例如60D轉去300D,因為300D沒有WAN1 WAN2的概念,所以就有問題。
16,Sep-2015
實際上,如果你要將一個舊Firewall的4.0 設定檔,以這種方法轉換成5.0能跑的設定檔,是能成功上載上去,亦很不幸地他會自動將不兼容的東西修復甚至Overwrite。造成很多隱藏問題。 最好的解決方法,還是以人手以CLI形式,檢查並貼到新設備中,然後再作修改。
沒有留言:
張貼留言