Introduction
I want to talk today about the safety switch the Fortigate has for us when changing its configuration and something goes wrong.
Most reputable vendors have such rollback-if-sh*t-happens – Juniper has commit confirmed <minutes>, Cisco routers have reload in <hh:mm:ss> and Fortinet does too – cfg-save.
This setting is part of the global configuration and looks by default like that:
FGT4 # get sys global | grep cfg
cfg-save : automatic
The key word here is automatic – it means once you hit Enter on CLI or click Apply in GUI, the changes are automatically saved to the configuration file of the Fortigate on flash. It also means they (configuration changes) will survive reboot. So, what happens if you make a mistake or miscalculate the consequences of the config change and lose management acces to the Fortigate? Well, the solution is physical access to the Fortigate with a console cable. To prevent this, all we need to do is change cfg-save from automatic to revert before doing the risky changes.
After we change this setting, any change to the configuration you do either on CLI or in GUI, will take effect immediately (as usual) but will BE REVERTED BACK if you do not manually save this change and your session times out. The time out you set too with set cfg-revert-timeout <seconds>.
Step by step instructions
Before making the planned configuration changes, set on CLI cfg-save to revert:
config sys global
set cfg-save revert
Do not leave the global config yet, read on
The default idle time-out, if you do not change it, will be 600 seconds, or 10 minutes. This means if you cause downtime by doing changes, they will be reverted after 10 minutes of your losing the access to the Fortigate. If you want to change it (still in sys global config mode):
set cfg-revert-timeout 120
end
Here I set idle time-out to 2 minutes.
Now you can safely do the planned configuration changes (change default gateway, reset BGP/OSPF routing, change WAN IP address and so on), be it on CLI or GUI.
If your changes lock you out of the Fortigate and you cannot reconnect, just wait 2 minutes and changes you have done will be reverted.
Changes reversal does NOT cause reboot to the firewall.
If, on the other hand, you did changes and nothing bad happened – do NOT log out/leave the Fortigate yet. For changes NOT to be reverted 2 minutes after you log out, you have to manually save/commit them to the configuration file. You can only do this on cli:
exe cfg save
Lastly, do not forget to change back cfg-save to automatic, unless you want to play an evil joke on the next admin configuring this Fortigate – any changes they will do will be rolled back to much of their confusion.
config sys global
set cfg-save automatic
end
Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ and https://github.com/yuriskinfo/ not to miss what I publish on Linkedin, Github, blog, and more.
