How to Migrate Fortigate Configurations with FortiConverter

Fortinet has published a very nice and helpful tool for converting firewall configs from other vendors into a Fortigate configuration file. One can equally use old Fortigate config file as the source file.

So if you are going to replace an old Fortigate model with a new one and you want use the old config file (instead of configuring the new Fortigate from the scratch) you can use the FortiConverter as an alternative to the procedure we have described in one of our former blog post “How to transfer a FortiGate configuration file to a new FortiGate model”.

The FortiConverter requires a license for the full range of functions. With the test version you can test a conversion, but the backup file of the new configuration is not available for download.

The tool runs as an python application on a Windows client. The installation software can be downloaded from your Fortinet support portal (download area). Currently v7.0 is the latest FortiConverter version – please make sure that you are installing the “py”-installation file (the one with .py.exe as file extension).

Running the tool is pretty easy. As source files you have to import the old config file and the empty config file of the new Fortigate model. Then you’ll be guided through a few migration steps where you get some information about the migration.

You will be informed that encrypted passwords are not being migrated but replaced with “123456”. There is just one obstacle – in the third migration step you have to do the “Interface Mapping”:

Here you have to assign the old interface names to the new interface names. This is necessary because different Fortigate models use different interface names. If you skip this step it’s possible that the resulting configuration file is using interface names that do not exist on the new Fortigate model and therefor this configuration does not work as expected.

Once the migration is completed you can download the resulting config file. If you are working with the trial version of FortiConverter you cannot run through any fine tuning steps of the resulting config (renaming firewall objects, syntax checks on object names, etc.), but the basic migration is done anyway. In newer versions of FortiConverter, even the download of the migrated configuration is not possible anymore.

The FortiConverter is a pretty cool tool, which is very helpful when replacing an older Fortigate model with a new one.

Note: we have to mention that when converting the configs with the FortiConverter still errors can occur. So please check the new configuration before or during import.
For example you can test the new config after the restore with following CLI command:

diag debug config-error-log read

Right after the reboot the output indicates which configuration parts were not understood by Fortigate and were therefore ignored.

You may leave your comments below. Thanks for reading !

Be the first to comment

Leave a Reply

Your email address will not be published.