Skip to main content

Using the save option "set cfg-save revert" to automatically reboot and revert to a previous configuration of a FortiGate

Description

This article describes the system global option "set cfg-save revert" that can be used during remote changes on a Fortigate and where the operator would like an automatic revert to the previous configuration in case of problems arise (if for example the connection to the FortiGate is lost).

Solution

The global setting parameter "set cfg-save" dictates the way that configuration changes applied on the FortiGate are saved:
FGT# config system global
FGT# (global) # set cfg-save ?

automatic    automatically save config
manual       manually save config
revert       manually save config and revert the config when timeout
  • The default setting is "automatic" : in this mode, any changes applied after an "end" or "Apply" will be saved.
  • If set to "revert", an additional global parameter is required, which is the timeout in seconds : "set  cfg-revert-timeout"

Once this is applied, any new changes must be saved manually with the command "execute cfg save"within the period of the timeout, otherwise the FortiGate will reboot.

A warning CLI message will be displayed 10s before the reboot :

FGT # System will reboot if no input is received in the next 10 seconds...
System will reboot if no input is received in the next 9 seconds...
System will reboot if no input is received in the next 8 seconds...
System will reboot if no input is received in the next 7 seconds...

Example :

This example explains the use of the cfg-save revert command and its associated event log Fortigate Restarted when newly added configuration is not confirmed.

FG100D_Primary (global) # set cfg-save
automatic   Automatically save config.
manual       Manually save config.
revert       Manually save config and revert the config when timeout.

FG100D_Primary (global) # show full-configuration | grep cfg
set cfg-save automatic

FG100D_Primary (global) # show full-configuration | grep cfg
set cfg-save revert     <<--- Changed from automatic to revert
set cfg-revert-timeout 600   <<--- (10 Minutes)

FG100D_Primary (lan) # set role
lan         Connected to local network of endpoints.
wan         Connected to Internet.
dmz         Connected to server zone.
undefined   Interface has no specific role.

FG100D_Primary (lan) # set role lan   <<-- Added a new role to the LAN interface configuration in order to generate a new change in the current configuration.
FG100D_Primary (lan) # end

FG100D_Primary (lan) # show full-configuration | grep role
set role lan   <<-- New configuration added to interface 

FG100D_Primary (lan) # show full-configuration | grep role
set role undefined <<-- The newly added configuration of role on the interfaces was never added to the current configuration due to the “timeout” of 600 seconds, (10 Minutes) expired and the newly added configuration was never confirmed generating the event log “Fortigate Restarted” under system events.