When network professionals handle changes remotely, it is always good to have a safety net available. If you are familiar with Juniper Junos, you would love the “commit confirmed” command very much, as it will revert the config back to the previous config after 10 minutes automatically, in the event of you screwed up the routes or configured the wrong IP or interface then lose the remote control. The below content will demonstrate the equivalent procedures when you are dealing with Fortinet Fortigate firewalls.
Pre-check and Default Behaviour
Firstly, back up your firewall configure first:
The FortiGate default behaviour is to save the config automatically when you click the “Apply” button in GUI or use “end” command, it can be catastrophic when you are dealing with devices located in the middle of nowhere. You can see below example, the “automatic” is default and hidden in the “full-configuration”
KitFW01 # config system global KitFW01 (global) # show config system global set admintimeout 480 set alias "FortiGate-VM64-KVM" set hostname "KitFW01" set timezone 58 end KitFW01 (global) # set cfg-save automatic KitFW01 # config sys global KitFW01 (global) # show --->not showing in the config config system global set admintimeout 480 set alias "FortiGate-VM64-KVM" set hostname "KitFW01" set timezone 58 end KitFW01 (global) # show full-configuration | grep cfg set cfg-save automatic
Set up the safety net before making any production changes
Setup your Fortigate firewall to reboot automatically after 10 minutes (600 seconds), this is similar to “commit confirmed” in Junos.
config system global set cfg-save revert set cfg-revert-timeout 600 end
Assume you make the wrong change and you want to revert back
Now you can make your changes in either CLI or GUI, you can execute your prepared scripts or quickly go to the GUI to make the change. In this example, I simply enabled my default “Fortilink” interface and let’s assume that was a wrong move.
You then simply wait out 10 minutes, you can see the firewall restarts itself and the “Fortilink” interface is disabled automatically (reverted to the original)
Note: You will NOT see any count down timers if you are not connecting via physical console cable, but it surely works!
Assume you change the config successfully
You can go ahead to save the config and put the default “automatic” behaviour back
execute cfg save config system global set cfg-save automatic end
Double-check it is the default config after all
KitFW01 (global) # show full-configuration | grep cfg set cfg-save automatic