When a firewall is running FortiGate FIPS firmware with FIPS mode enabled, removing FIPS mode requires a factory reset. This raises a key question: how do you retain the firewall’s configuration after the factory reset?
While you could manually re-enter every setting, policy, and object, a more efficient approach is the File Conversion Method. With minor edits to the configuration file before you upload it to the firewall, you can restore your rules, settings, and address objects.
The strategy: Why “file conversion”?
The File Conversion Method is ideal when your hardware models match exactly, ensuring interface names and physical capabilities remain constant. The trick lies in understanding that Fortinet stores hardware and firmware metadata in the first four lines of every configuration file. By “spoofing” these headers, you can convince the firmware to accept the body of your old configuration.
The step-by-step migration
1. Preparation and baseline
Before touching the hardware, log into your existing FortiGate and document your admin account details and permissions. You will need to recreate this exact account on the new firmware to ensure permissions align during the transition. Once documented, perform a full backup of your original configuration.
2. The fresh start
Perform a factory reset on your appliance using the execute factory reset command. Once it reboots, log in via the default IP (192.168.1.99) and the default credentials (admin with no password). Recreate the admin account you documented from the original firewall with the same permissions. Install the GA version of the firmware that corresponds with the FIPS-specific firmware. In my case, FIPS-CC-70-21 corresponded with 7.0.12. After the firmware is active, create your matching admin account and take a new backup. This new file contains the headers that the new firmware expects.
3. Editing the configuration
Open both your original (FIPS) backup and your new backup in a text editor.
- Copy: Select everything from the original FIPS file starting at line 5 to the very bottom.
- Paste: In a copy of your new file, highlight everything from line 5 down and replace it with your copied text.
- Remove FIPS: Search for the FIPS configuration and delete it.
end <– delete this line
config system fips-ccend <– delete this lineconfig system console
4. The final import and validation
Save your edited file and restore it to the FortiGate. Because the first four lines match the current firmware, the appliance will attempt to ingest the configuration.
However, no migration is perfect. Immediately after the reboot, run the following command in the CLI:
diagnose debug config-error-log read
This command acts as your post-op report, identifying any specific syntax errors or commands the new firmware didn’t recognize. You can then manually rectify these minor gaps in the GUI.
Conclusion
By using the File Conversion Method to remove FIPS configuration, you can save hours of configuration time while maintaining the integrity of your security policies. Just remember to keep your original backups safe.
This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.
