Description
Solution
The global setting parameter "set cfg-save" dictates the way that configuration changes applied on the FortiGate are saved :
FGT# config system global
FGT# (global) # set cfg-save ?
The default setting is "automatic" : in this mode, any changes applied after an "end" or "Apply" will be saved.
This article describes the system global option 'set cfg-save revert' that can be used during remote changes on a FortiGate and where the operator would like an automatic revert to the previous configuration in case of problems arise (if for example the connection to the FortiGate is lost).
When a config change is made in HA environments, the change is pushed out to other HA members before being saved.
If 'execute cfg save' is not implemented before the time-out, all members will reboot and revert to the previous config.
Other HA members will not take over if the primary reboots to revert to the original configuration.
Solution
The global setting parameter "set cfg-save" dictates the way that configuration changes applied on the FortiGate are saved :
FGT# config system global
FGT# (global) # set cfg-save ?
| automatic automatically save config |
| manual manually save config |
| revert manually save config and revert the config when timeou |
The default setting is "automatic" : in this mode, any changes applied after an "end" or "Apply" will be saved.
- If set to "revert", an additional global parameter is required, which is the timeout in seconds : "set cfg-revert-timeout"
!! Once this is applied, any new changes must be saved manually with the command "execute cfg save"within the period of the timeout, otherwise the FortiGate will reboot.
A warning CLI message will be displayed 10s before the reboot :
A warning CLI message will be displayed 10s before the reboot :
FGT # System will reboot if no input is received in the next 10 seconds...
System will reboot if no input is received in the next 9 seconds...
System will reboot if no input is received in the next 8 seconds...
System will reboot if no input is received in the next 7 seconds...
Example :
This example explains the use of the cfg-save revert command and its associated event log FortiGate Restarted when newly added configuration is not confirmed.
FG100D_Primary (global) # set cfg-save
automatic Automatically save config.
manual Manually save config.
revert Manually save config and revert the config when timeout.FG100D_Primary (global) # show full-configuration | grep cfg
set cfg-save automaticFG100D_Primary (global) # show full-configuration | grep cfg
set cfg-save revert <<--- Changed from automatic to revert
set cfg-revert-timeout 600 <<--- (10 Minutes)FG100D_Primary (lan) # set role
lan Connected to local network of endpoints.
wan Connected to Internet.
dmz Connected to server zone.
undefined Interface has no specific role.FG100D_Primary (lan) # set role lan <<-- Added a new role to the LAN interface configuration in order to generate a new change in the current configuration.
FG100D_Primary (lan) # endFG100D_Primary (lan) # show full-configuration | grep role
set role lan <<-- New configuration added to interfaceFG100D_Primary (lan) # show full-configuration | grep role
set role undefined <<-- The newly added configuration of role on the interfaces was never added to the current configuration due to the “timeout” of 600 seconds, (10 Minutes) expired and the newly added configuration was never confirmed generating the event log “Fortigate Restarted” under system events.
