FortiGate Configuration Migration
Migration notes
Starting with FortiConverter v5.6.3, each FortiGate-to-FortiGate migration requires connection through a FortiGate device to perform REST API import. Users can import the converted configuration directly to the target device on the import wizard page.
The configuration that may block the connection to the device may be replaced or removed by FortiConverter. To make sure that the connection is not blocked, please configure these settings after the configuration import completes.
Settings that requires checking
- config system global
- set admin-sport
- set admin-port
- set admin-server-cert
- set admin-maintainer
- config system settings
- set manageip
- config system admin
- config system replacemsg *
- The config of the connection interface between FortiConverter and device.
Settings that FortiConverter doesn’t import
- All certificate related
- All encrypted passwords would be overridden to "12345678"
- config user fortitoken
Import configuration issues
There are known issues in the REST API on the FortiGate side. It may cause the import configuration to be incomplete even it shows that the import was successful, especially the profile configurations.
For example:
- config webfilter profile.
- config voip profile
- config firewall profile-protocol-options
One suggestion is to review them by CLI Comparison and manually upload to the device. |
The migration consists of two parts:
- The configuration conversion from lower version to higher version base on the input configuration and the target device version.
- Import the converted configuration to import to the target device.
After the import completes, review and manually adjust the restorable configuration established by "Backup config". It downloads the configuration from the device and can restore it to another device.
*Note: The device with version 5.2 or older is not supported for the REST API feature. |