How to auto restore a previous configuration after unsuccessful change

Recently I participate of an assessment of configuration of a lot of Firewalls. The result of that work, was proposed to costumer a fix some routing issues. The main problem here where the firewalls were remotely and in several distances in a remote places. The time wait to contract a field service to help us to do that fixes was so long and expansive if we consider the number of firewalls and distance.

So, fortunately the Forti OS have a feature that allow the administrator to do a configuration and if he lost the access, he can stipulate a time to roll back the configuration to previous state before the change.

That is so useful in a lot of situations. Let's see the configuration in step by step. The old Forti OS versions, that options are avaliable only in CLI. The last versions, 7.0 and 7.2 the path in the GUI may be different.

If you use Fortimanager to manage your Fortigates exists another feature of save changes completely automated and not is necessary to do anything. If you push some change to the FortiGates, and they lose the connectivity to management connection, the Fortigate will wait for 15 minutes to restore the connection to FortiManager. If not successful, they will roll back the change.

In CLI, go to the #config sys global and #set cfg-save revert. The default idle timeout is 600 seconds or 10 minutes. If you are doing changes and cause downtime, they will be reverted after 10 minutes of you losing the access to the FotiGate. So if you want to change the time, still in sys global config mode and

#set cfg-revert-timeout 60
#end

Now, after doing your changes, you will need to do a manually save with the command:

#exe cfg save.

After you did your change with success, you can restore to the default automatic saving. Go back to the:

#config sys global
#set cfg-save automatic
#end