How to Revert the Fortinet Firewall Configuration back Automatically when Handling Changes Remotely

2 Comments / By /

When network professionals handle changes remotely, it is always good to have a safety net available. If you are familiar with Juniper Junos, you would love the “commit confirmed” command very much, as it will revert the config back to the previous config after 10 minutes automatically, in the event of you screwed up the routes or configured the wrong IP or interface then lose the remote control. The below content will demonstrate the equivalent procedures when you are dealing with Fortinet Fortigate firewalls.

Pre-check and Default Behaviour

Firstly, back up your firewall configure first:

The FortiGate default behaviour is to save the config automatically when you click the “Apply” button in GUI or use “end” command, it can be catastrophic when you are dealing with devices located in the middle of nowhere. You can see below example, the “automatic” is default and hidden in the “full-configuration”

KitFW01 # config system global

KitFW01 (global) # show
config system global
    set admintimeout 480
    set alias "FortiGate-VM64-KVM"
    set hostname "KitFW01"
    set timezone 58
end

KitFW01 (global) # set cfg-save automatic

KitFW01 # config sys global 

KitFW01 (global) # show  --->not showing in the config
config system global
    set admintimeout 480
    set alias "FortiGate-VM64-KVM"
    set hostname "KitFW01"
    set timezone 58
end

KitFW01 (global) # show full-configuration | grep cfg
    set cfg-save automatic

Set up the safety net before making any production changes

Setup your Fortigate firewall to reboot automatically after 10 minutes (600 seconds), this is similar to “commit confirmed” in Junos.

config system global
        set cfg-save revert
        set cfg-revert-timeout 600
end

Assume you make the wrong change and you want to revert back

Now you can make your changes in either CLI or GUI, you can execute your prepared scripts or quickly go to the GUI to make the change. In this example, I simply enabled my default “Fortilink” interface and let’s assume that was a wrong move.

You then simply wait out 10 minutes, you can see the firewall restarts itself and the “Fortilink” interface is disabled automatically (reverted to the original)

Note: You will NOT see any count down timers if you are not connecting via physical console cable, but it surely works!

Assume you change the config successfully

You can go ahead to save the config and put the default “automatic” behaviour back

execute cfg save

config system global
        set cfg-save automatic
end

Double-check it is the default config after all

KitFW01 (global) # show full-configuration | grep cfg
    set cfg-save automatic

Useful link

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-save-option-set-cfg-save-revert-to/ta-p/191106

Related Posts

2 thoughts on “How to Revert the Fortinet Firewall Configuration back Automatically when Handling Changes Remotely”

  1. Some Guy

    Thanks for this!
    What happens if you don’t set a cfg-revert-timeout? Will it stay saved until someone manually reboots it?

    Reply
    1. Fella

      By default setting is “set cfg-save automatic”, which means it will save your configuration changes every time you exit your config mode by “end”.

      It will stay saved no matter whether anyone reboots it or not, as it is saved.

      Reply

Leave a Comment

Your email address will not be published. Required fields are marked *