Import config to FortiGate by upload CLI scripts file
This section is only valid in 3rd party vendor to FortiGate conversion.
When you convert a source configuration to a FortiGate configuration, the resulting conversion files are placed into the directory FGT/ folder. File config-all.txt
contains all converted CLI configuration, and all kinds of objects are also output into divided files such as config-system-interface.txt
and config-firewall-address.txt
.
Before you import the output configuration, search the file for any comments that indicate issues that FortiConverter detected during the conversion (such as missing objects or conflicting object values) and fix them. To locate these comments, search for lines that start with # (number/hash symbol). You can't successfully import the configuration if you don't fix these issues.
To import the sections of the output configuration file(s),
For FortiOS 6.2.2 and earlier versions,
Please go to the left navigation panel, and select System > Advanced.
Select Upload and Run a New Script to locate the script file then click apply.
For FortiOS 6.2.3 and thereafter,
Please go to the admin dropdown menu in the top right corner.
Then select Configuration > Scripts > Run Script to upload and run the CLI scripts file.
Fortinet also recommends you not to import the file config-all.txt
directly, but import each divided configuration such as config-system-interface.txt
and config-firewall-address.txt
separately instead. This makes troubleshooting easier if an error occurs.
Because you can't successfully import a section of configuration that references an object that doesn't already exist in the configuration, ensure that you import the configuration sections in their original order. For example, you typically import polices last because they reference interfaces, addresses, users, services, IPsec phase1s, security policies, and so on. If these objects are missing, FortiGate doesn't accept the policy.
To make troubleshooting easier when there are import errors, before you import sections, enable CLI debugging.
By default, CLI debugging is level 3. This is the level to use under normal conditions.
You can use this command to view the current debug level:
# diagnose debug info
A response similar to the following appears:
debug output: disable
console timestamp: disable
console no user log message: disable
CLI debug level: 3
For the configuration importing process, the appropriate debug level is 8. Use this command to change the debug level:
diag debug enable
diag debug CLI 8
When the import process is complete, use this command to return the debug level to the default (3):
diag debug reset
Import the sections of the conversion output systematically. For each section you import, check for import failures in the web UI Script Execution History. Use CLI debugging to diagnose and fix any errors. When the import is successful, continue with to next section of the configuration.
The following simple configuration generates an error because Test3 isn't defined:
config firewall address
edit "Test1"
set subnet 1.1.1.1 255.255.255.255
next
edit "Test2"
set subnet 1.1.1.2 255.255.255.255
next
end
config firewall addrgrp
edit "Test-Addresses"
set member "Test1" "Test2" "Test3"
next
end
When you save this configuration as a file and import it, the Failure status indicator shows:
The following CLI output captures detailed information about the error:
0: config firewall address
0: edit "Test1"
0: set subnet 1.1.1.1 255.255.255.255
0: next
0: edit "Test2"
0: set subnet 1.1.1.2 255.255.255.255
0: next
0: end
0: config firewall addrgrp
0: edit "Test-Addresses"
-3: set member "Test1" "Test2" "Test3"
1: next
0: endwrite config file success, prepare to save in flash
The error code -3
indicates that FortiGate did not find the object and the return code 1
indicates that an error occurred.
Notice that FortiGate creates the address objects Test1 and Test2. The failure status only relates to the address group.
When you fix the script by adding the missing Test3 object and import it again, the Success status indicator shows.
When the configuration is fixed, all return codes in the CLI debugging are 0, indicating no errors.
0: config firewall address
0: edit "Test1"
0: set subnet 1.1.1.1 255.255.255.255
0: next
0: edit "Test2"
0: set subnet 1.1.1.2 255.255.255.255
0: next
0: edit "Test3"
0: set subnet 1.1.1.3 255.255.255.255
0: next
0: end
0: config firewall addrgrp
0: edit "Test-Addresses"
0: set member "Test1" "Test2" "Test3"
0: next
0: endwrite config file success, prepare to save in flash