Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Online Help

    7.0.3
    7.2.0
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.2
    6.2.1
    6.2.0
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Import config to FortiGate by upload CLI scripts file

    Import config to FortiGate by upload CLI scripts file

    This section is only valid in 3rd party vendor to FortiGate conversion.

    When you convert a source configuration to a FortiGate configuration, the resulting conversion files are placed into the directory FGT/ folder. File config-all.txt contains all converted CLI configuration, and all kinds of objects are also output into divided files such as 02-config-system-interface.txt and 04-config-firewall-address.txt.

    Before you import the output configuration, search the file for any comments that indicate issues that FortiConverter detected during the conversion (such as missing objects or conflicting object values) and fix them. To locate these comments, search for lines that start with # (number/hash symbol). You can't successfully import the configuration if you don't fix these issues.

    To import the sections of the output configuration file(s), please go to the admin dropdown menu in the top right corner, and then select Configuration > Scripts > Run Script to upload and run the CLI scripts file

    Fortinet also recommends you not to import the file config-all.txt directly, but import each divided configuration such as 02-config-system-interface.txt and 04-config-firewall-address.txt separately instead. This makes troubleshooting easier if an error occurs.

    A section of configuration cannot be successfully imported if an object it references doesn't already exist in the configuration. For example, interfaces, addresses, users, services, IPsec phase1 objects should be imported before policies being imported. To prevent this kind of failure, please import the configuration sections following the order given in the script file name. For example, import file 01-config-system-settings.txt firstly and import 02-config-system-interface.txt secondly. This order ensures that all the referenced objects exist when a configuration section is imported.

    To make troubleshooting easier when there are import errors, before you import sections, enable CLI debugging.

    By default, CLI debugging is level 3. This is the level to use under normal conditions.

    You can use this command to view the current debug level:

    # diagnose debug info


    A response similar to the following appears:

    debug output: disable

    console timestamp: disable

    console no user log message: disable

    CLI debug level: 3


    For the configuration importing process, the appropriate debug level is 8. Use this command to change the debug level:

    diag debug enable

    diag debug CLI 8


    When the import process is complete, use this command to return the debug level to the default (3):

    diag debug reset

    Import the sections of the conversion output systematically. For each section you import, check for import failures in the web UI Script Execution History. Use CLI debugging to diagnose and fix any errors. When the import is successful, continue with to next section of the configuration.

    The following simple configuration generates an error because Test3 isn't defined:

    config firewall address

    edit "Test1"

    set subnet 1.1.1.1 255.255.255.255

    next

    edit "Test2"

    set subnet 1.1.1.2 255.255.255.255

    next

    end

    config firewall addrgrp

    edit "Test-Addresses"

    set member "Test1" "Test2" "Test3"

    next

    end

    When you save this configuration as a file and import it, the Failure status indicator shows:

    The following CLI output captures detailed information about the error:

    0: config firewall address

    0: edit "Test1"

    0: set subnet 1.1.1.1 255.255.255.255

    0: next

    0: edit "Test2"

    0: set subnet 1.1.1.2 255.255.255.255

    0: next

    0: end

    0: config firewall addrgrp

    0: edit "Test-Addresses"

    -3: set member "Test1" "Test2" "Test3"

    1: next

    0: endwrite config file success, prepare to save in flash

    The error code -3 indicates that FortiGate did not find the object and the return code 1 indicates that an error occurred.

    Notice that FortiGate creates the address objects Test1 and Test2. The failure status only relates to the address group.

    When you fix the script by adding the missing Test3 object and import it again, the Success status indicator shows.

    When the configuration is fixed, all return codes in the CLI debugging are 0, indicating no errors.

    0: config firewall address

    0: edit "Test1"

    0: set subnet 1.1.1.1 255.255.255.255

    0: next

    0: edit "Test2"

    0: set subnet 1.1.1.2 255.255.255.255

    0: next

    0: edit "Test3"

    0: set subnet 1.1.1.3 255.255.255.255

    0: next

    0: end

    0: config firewall addrgrp

    0: edit "Test-Addresses"

    0: set member "Test1" "Test2" "Test3"

    0: next

    0: endwrite config file success, prepare to save in flash

    Previous
    Next

    Import config to FortiGate by upload CLI scripts file

    Import config to FortiGate by upload CLI scripts file

    This section is only valid in 3rd party vendor to FortiGate conversion.

    When you convert a source configuration to a FortiGate configuration, the resulting conversion files are placed into the directory FGT/ folder. File config-all.txt contains all converted CLI configuration, and all kinds of objects are also output into divided files such as 02-config-system-interface.txt and 04-config-firewall-address.txt.

    Before you import the output configuration, search the file for any comments that indicate issues that FortiConverter detected during the conversion (such as missing objects or conflicting object values) and fix them. To locate these comments, search for lines that start with # (number/hash symbol). You can't successfully import the configuration if you don't fix these issues.

    To import the sections of the output configuration file(s), please go to the admin dropdown menu in the top right corner, and then select Configuration > Scripts > Run Script to upload and run the CLI scripts file

    Fortinet also recommends you not to import the file config-all.txt directly, but import each divided configuration such as 02-config-system-interface.txt and 04-config-firewall-address.txt separately instead. This makes troubleshooting easier if an error occurs.

    A section of configuration cannot be successfully imported if an object it references doesn't already exist in the configuration. For example, interfaces, addresses, users, services, IPsec phase1 objects should be imported before policies being imported. To prevent this kind of failure, please import the configuration sections following the order given in the script file name. For example, import file 01-config-system-settings.txt firstly and import 02-config-system-interface.txt secondly. This order ensures that all the referenced objects exist when a configuration section is imported.

    To make troubleshooting easier when there are import errors, before you import sections, enable CLI debugging.

    By default, CLI debugging is level 3. This is the level to use under normal conditions.

    You can use this command to view the current debug level:

    # diagnose debug info


    A response similar to the following appears:

    debug output: disable

    console timestamp: disable

    console no user log message: disable

    CLI debug level: 3


    For the configuration importing process, the appropriate debug level is 8. Use this command to change the debug level:

    diag debug enable

    diag debug CLI 8


    When the import process is complete, use this command to return the debug level to the default (3):

    diag debug reset

    Import the sections of the conversion output systematically. For each section you import, check for import failures in the web UI Script Execution History. Use CLI debugging to diagnose and fix any errors. When the import is successful, continue with to next section of the configuration.

    The following simple configuration generates an error because Test3 isn't defined:

    config firewall address

    edit "Test1"

    set subnet 1.1.1.1 255.255.255.255

    next

    edit "Test2"

    set subnet 1.1.1.2 255.255.255.255

    next

    end

    config firewall addrgrp

    edit "Test-Addresses"

    set member "Test1" "Test2" "Test3"

    next

    end

    When you save this configuration as a file and import it, the Failure status indicator shows:

    The following CLI output captures detailed information about the error:

    0: config firewall address

    0: edit "Test1"

    0: set subnet 1.1.1.1 255.255.255.255

    0: next

    0: edit "Test2"

    0: set subnet 1.1.1.2 255.255.255.255

    0: next

    0: end

    0: config firewall addrgrp

    0: edit "Test-Addresses"

    -3: set member "Test1" "Test2" "Test3"

    1: next

    0: endwrite config file success, prepare to save in flash

    The error code -3 indicates that FortiGate did not find the object and the return code 1 indicates that an error occurred.

    Notice that FortiGate creates the address objects Test1 and Test2. The failure status only relates to the address group.

    When you fix the script by adding the missing Test3 object and import it again, the Success status indicator shows.

    When the configuration is fixed, all return codes in the CLI debugging are 0, indicating no errors.

    0: config firewall address

    0: edit "Test1"

    0: set subnet 1.1.1.1 255.255.255.255

    0: next

    0: edit "Test2"

    0: set subnet 1.1.1.2 255.255.255.255

    0: next

    0: edit "Test3"

    0: set subnet 1.1.1.3 255.255.255.255

    0: next

    0: end

    0: config firewall addrgrp

    0: edit "Test-Addresses"

    0: set member "Test1" "Test2" "Test3"

    0: next

    0: endwrite config file success, prepare to save in flash

    Previous
    Next