FortiHelp: 2018

Works in 5.2.x and up.
Restoring the image to the primary partition will trigger an immediate upgrade/downgrade including reboot.

These all require admin-scp to be enabled on the target device

config global
config system global
set admin-scp enable
end

#Config Backup

scp admin@<fgthostname>:fgt-config <fgthostname>.conf

scp admin@myfgt1:fgt-config myfgt1.conf

#Config Restore

scp <fgthostname>.conf admin@<fgthostname>:fgt-restore-config

scp myfgt1.conf admin@myfgt1:fgt-restore-config

#Image Upload to Primary Partition

scp <fgtimagename> admin@<fgthostname>:fgt-image

scp FGT_3700D-v5-build1600-FORTINET.out admin@myfgt1:fgt-image

#Image Upload to Secondary Partition

scp <fgtimagename> admin@<fgthostname>:fgt-secondary-image

scp FGT_3700D-v5-build1600-FORTINET.out admin@myfgt1:fgt-secondary-image

In this example we will be setting up inter-VDOM links between a VDOM named "root" and another VDOM named "untrust". This will allow bidirectional traffic to traverse the 2 VDOMs without any additional cabling.

Prerequisites:

Tested on FortiOS 6
VDOMs created
Links up

Process:

Configure interfaces
Configure policies
Configure static routes

### Interfaces

config global

config system interface

edit "internal1"

set vdom "root"

set ip 10.0.0.254 255.255.255.0

set allowaccess ping https #This is your choice

set type physical

edit "internal2"

set vdom "untrust"

set ip 192.168.1.254 255.255.255.0

set allowaccess ping https #This is your choice

set type physical

edit "root-to-un0"

set vdom "root"

set ip 10.10.10.1 255.255.255.252

set allowaccess ping

set type vdom-link

edit "root-to-un1"

set vdom "untrust"

set ip 10.10.10.2 255.255.255.252

set allowaccess ping

set type vdom-link

end

config vdom

edit root

### Policies

config firewall policy

edit 1

set name "int1-to-root-to-un0"

set srcintf "internal1" #this is your WAN intf

set dstintf "root-to-un0"

set srcaddr "all" #Do not leave as all. Lock down.

set dstaddr "all" #Do not leave as all. Lock down.

set action accept

set schedule "always"

set service "ALL" #Do not leave as all. Lock down.

set logtraffic disable

edit 2

set name "root-to-un0-to-int1"

set srcintf "root-to-un0"

set dstintf "internal1" #this is your WAN intf

set srcaddr "all" #Do not leave as all. Lock down.

set dstaddr "all" #Do not leave as all. Lock down.

set action accept

set schedule "always"

set service "ALL" #Do not leave as all. Lock down.

set logtraffic disable

end

### Static Routes

config router static

edit 1

set dst 192.168.1.0 255.255.255.0

set gateway 10.10.10.2 #This is the OPPOSITE side of the VLink

set device "root-to-un0"

end

config vdom

edit untrust

### Policies

config firewall policy

edit 1

set name "int1-to-root-to-un0"

set srcintf "internal2" #this is your WAN intf

set dstintf "root-to-un1"

set srcaddr "all" #Do not leave as all. Lock down.

set dstaddr "all" #Do not leave as all. Lock down.

set action accept

set schedule "always"

set service "ALL" #Do not leave as all. Lock down.

set logtraffic disable

edit 2

set name "root-to-un0-to-int1"

set srcintf "root-to-un1"

set dstintf "internal2" #this is your WAN intf

set srcaddr "all" #Do not leave as all. Lock down.

set dstaddr "all" #Do not leave as all. Lock down.

set action accept

set schedule "always"

set service "ALL" #Do not leave as all. Lock down.

set logtraffic disable

end

### Static Routes

config router static

edit 1

set dst 10.0.0.0 255.255.255.0

set gateway 10.10.10.1 #This is the OPPOSITE side of the VLink

set device "root-to-un1"

end

-->

end

FortiHelp

Friday, December 7, 2018

SCP config backup, config restore and image restore

Friday, February 23, 2018

Inter-VDOM routing