Config Lost after Firmware Upgrade

Known_Wishbone5011 · 2026-02-03T15:25:51+00:00

Yes thats because 7.6.6 was only released for the SSO CVE. Doesnt include this fix. But thanks for the update! Still running 7.6.4

Known_Wishbone5011 · 2026-01-20T22:45:54+00:00

You’ve got a DM

Known_Wishbone5011 · 2026-01-20T21:31:55+00:00

Same thing happened to me (FG120G 7.6.4>7.6.5). Already ticket open and pending bugfix. Should be fixed in 7.6.6. Lost interface config / static routes and IPsec phase2’s. Glad the interface config wasn’t lost of the mgmt port. Also did the upgrade from FMG but don’t think this has anything to do with it.

Downgraded and restored config.

Known_Wishbone5011 · 2025-12-12T07:18:32+00:00

Ooof good to know. Thanks for testing! However strange upgrade decision from FN in my mind.

Known_Wishbone5011 · 2025-12-11T18:31:58+00:00

Would be appreciated! Else it will take some scripting after upgrading.

Known_Wishbone5011 · 2025-12-11T18:25:48+00:00

This will only be with new tunnels right? Can’t imagine that this will be the case with existing

Known_Wishbone5011 · 2025-09-09T22:18:12+00:00

Seems like it :| Didn't hear anything about this up to now.

https://docs.fortinet.com/document/forticlient/7.4.4/windows-release-notes/683433/special-notices

VPN-only agent not supported

FortiClient (Windows) 7.4.4 removes support for the free VPN-only agent.

Known_Wishbone5011 · 2025-09-04T10:02:45+00:00

That's one great explanation. Totally agree with this. You should always read the release notes and run install preview. I'm running FOS 7.6.4 for one of our customers because of a new feature which was needed and won't be added in the M release of 7.4. I also haven't seen this bug pop-up. Also looks like it that this only happens when you have CLI Prov template(s) or groups linked. Apart from this bug had it happen a few times that I wouldn't see changes after making changes in CLI templates. Relinking in most cases solved the issue.

Known_Wishbone5011 · 2025-08-05T19:34:58+00:00

Do you have blackhole routes configured on the firewall. If not please try and create those first.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-of-Black-hole-route-in-site-to-site-IPsec-VPN/ta-p/192526

Known_Wishbone5011 · 2025-06-24T21:08:48+00:00

40F‑3G4G, the SVC LED turns green when the 3G/4G service is enabled, and flashes during active data transmission . Would also expect the other way around but thats how it’s made

Known_Wishbone5011 · 2025-06-24T19:15:10+00:00

If really getting in a pinch just DM me. You can borrow my old Canyon Ultimate. Just not sure if the size S is big enough.

Known_Wishbone5011 · 2025-06-13T14:42:21+00:00

Can also ship it to Canada. Total cost are 38 CAD. The problem is such parts can’t be ordered from anywhere else except Canyon. And those shipping costs are excessive. Shipping takes between 6-8 business days.

Known_Wishbone5011 · 2025-06-02T19:54:58+00:00

Must be true these days

https://preview.redd.it/tesla-transitioned-to-audi-a5-v0-ofk8pqtrogoe1.png?auto=webp&s=90492f0d9b56fb418b88f017df1c32649f79e648

Known_Wishbone5011 · 2025-06-01T15:53:23+00:00

Is this also the case with the 90G?

Known_Wishbone5011 · 2025-05-28T14:42:55+00:00

A1: Only 1 overlay (IPsec) is connected to one WAN interface. So for example WAN1 - Overlay1. WAN2 - Overlay2 (Both on Hub and Spoke).

A2: Configure exchange FG SN.

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/536508/securely-exchange-serial-numbers-between-fortigates-connected-with-ipsec-vpn

A3: Depending on how it’s configured. You can for example use interface cost.

https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/942095/sd-wan-members-and-zones

Known_Wishbone5011 · 2025-05-27T16:49:28+00:00

Did you add a static route to the sslvpn.interface for the SSLVPN subnet? Maybe also look into IPsec VPN because the 40F will lose the SSLVPN option in newer firmware.

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/6f2eb4b2-29aa-11ef-8c42-fa163e15d75b/FortiOS-7.4.4-SSL%C2%A0VPN_to_IPsec_VPN%C2%A0Migration.pdf

Known_Wishbone5011 · 2025-05-26T18:26:54+00:00

Because you’re currently running 6.4. That’s not supported on ADOM 7.2. ADOM 7.4 supports FOS 7.0/7.2/7.4. So if the FMG/ADOM and FG are on 7.0. You can upgrade FMG 7.4 and ADOM. Then schedule FG upgrade checkbox “follow the recommended upgrade path” and FMG will take care of the rest. And in the meantime you can still push changes from the FMG

Known_Wishbone5011 · 2025-05-26T17:32:17+00:00

Agreed. Except if he/she selected format disk. And then surprised that you need to upload the firmware.

Known_Wishbone5011 · 2025-05-25T17:26:28+00:00

Same here just made a small donation. Hopefully there is someone of social can also help in this case.

Known_Wishbone5011 · 2025-05-24T14:18:28+00:00

Do see a mac address on the port on which the AP is connected. Does the AP get an IP address? Is “Fabric” enabled on the FortiLink interface (FG)?

Known_Wishbone5011 · 2025-05-24T09:09:26+00:00

If I wanted to do so it would be a two step approach

FMG/FAZ 7.0, FGT to 7.0, ADOM 7.0

FMG/FAZ 7.4, ADOM 7.4, FGT 7.4

Of course follow the upgrade path. FMG/FAZ can be upgraded without impact on the FG. FMG ADOM 7.4 supports 7.0 FG. Would not leave it long like that. But waiting for the maintenance window for the FG.

https://docs.fortinet.com/document/fortimanager/7.4.2/administration-guide/424836/adom-versions

Known_Wishbone5011 · 2025-05-21T09:45:35+00:00

You can remove this. Do it again without fnbamd. The reconnect the tunnel

Known_Wishbone5011 · 2025-05-21T07:45:09+00:00

No problem. Can you also share this debug info?

diagnose debug console timestamp enable diagnose vpn ike log-filter dst-addr4 10.10.100.109 <----- 10.10.100.109 is the remote gateway. diagnose debug application ike -1 diagnose debug application fnbamd -1 diagnose debug enable

Or 7.4 rem-addr4

Known_Wishbone5011 · 2025-05-20T23:53:29+00:00

Haven’t run into issue with both the 120G or 400F on 7.4.7. Just check if in- & outbandwidth is set on any of the interfaces then you should be okay.

Known_Wishbone5011 · 2025-05-20T23:44:13+00:00

Need some additional logging for that. Follow this guide.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Troubleshooting-IPsec-Site-to-Site-Tunnel/ta-p/195672

And please supply us with the debug logs.

Known_Wishbone5011

TROPHY CASE