How to downgrade Fortigate Fortios version without losing the configuration

Sun 29 May 2022 in Fortigate

#Fortigate

Upgrading Fortigate Fortios version is easy:

Find the correct upgrade path for the model you have https://docs.fortinet.com/upgrade-tool
Back up the current configuration: Admin → Configuration → Backup
If your Fortigate has an active subscription - upgrade directly from the Fortiguard servers, and if not - upload each Fortios image as a local file.

Downgrading is not that straightforward. The reason is that major version releases (and many times minor) change the configuration commands in some way - remove, add, move location. And when upgrading, the Fortios "upgrades" the configuration file as well fixing the differences between releases. E.g. in FortiOS 5.x, and 6.x you configure SD-WAN as config system virtual-wan-link, but in FortiOS 7.x it was replaced with config system sd-wan. When you follow the upgrade path, Fortigate takes care of it automatically. But if you decide to downgrade, it is NOT being done at all. As a consequence, you cannot apply FortiOS 7.2 configuration backup to the FortiOS 6.4 Fortigate. Actually, the Fortigate will issue an error if you try to, as the firmware version is in the header of the config file.

The best way to downgrade and keep the configuration is to save configuration on each upgrade step - upgraded 6.4.3 → 6.4.9? Back up the configuration. In this case, you can freely reset to factory defaults the Fortigate, downgrade to any version you want, say from 7.2 to 6.4.9, then upload the backed up configuration of version 6.4.9.

If you didn’t save configuration on the intermediate upgrades, then there is a risk to decide upon. The risk is that downgrading to lower versions, may delete, render not working various parts of the Fortigate configuration. And there is no tool to calculate this risk or help with assessing what is going to happen to the configuration. In my opinion it is safer to manually copy & paste important configuration parts after downgrading the factory-defaulted configuration.

The officially supported way to convert the Fortigate configuration between different models and firmware versions is FortiConverter. The FortiConverter comes either as a standalone software paid yearly (expensive), or as a one-time service from the Fortinet support.

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.