Skip to main content
Nur
Staff
Nur
Staff
December 5, 2024

Technical Tip: Best practice when replacing a FortiManager

  • December 5, 2024
  • 0 replies
  • 900 views
Description This article provides the best practice when replacing a FortiManager.
Scope FortiManager and FortiGate.
Solution

When FortiManager and FortiGate are integrated from central-management it detects FortiManager Serial Number

 

Ertiga-kvm09 # config system central-management

Ertiga-kvm09 (central-management) # show
config system central-management
    set type fortimanager
    set serial-number "FMG-VM0AXXXXXXXX"
    set fmg "10.47.X.X"
end

 

When the FortiManager is changed, the Serial Number and source IP will be different from Central-Management. To ensure the FGFM tunnel daemon process runs without any interruption, follow the below steps:

 

  1. Add a New Serial Number from Central-Management and FortiManager's new source IP (FortiGate).

config system central-management
    set type fortimanager
    set serial-number "FMG-VM0A170027XX" "FMG-VMTM190060XX"
    set fmg "10.47.1.XX" "10.47.4.XX"
end

 

If using an old firmware version, the command needs to be used in batch:

 

exe batch start

config system central-management

    set type fortimanager                  

    set serial "FortiManager-Serial-Number"   

    set fmg "FortiManager source-IP"

end

exe batch end

 

  1. Authorize the FortiGate device from the New FortiManager

     

  2. After complete authorization, it is possible to unset the old FortiManager and source IP from Central-Management (use the batch command).

     

    Ertiga-kvm09 # exe batch start

    Enter batch mode...

    Ertiga-kvm09 # config system central-management

    Ertiga-kvm09 # unset serial-number "FMG-VM0A17002722"

    Ertiga-kvm09 # unset fmg "10.X.X.X"

    Ertiga-kvm09 # end

    Ertiga-kvm09 # exe batch end
                          

  3. Then check the status of FGFM using the new FortiManager Serial-Number.

     

    Ertiga-kvm09 # diag fdsm central-mgmt-status
    Connection status: Up
    Registration status: Registered
    Serial: FMG-VMTM190060XX

     

  4. When authorizing FortiGate to New FortiManager, the Policy will not be imported as it is declared as a new device.

     

  5. Suppose the policy for the new FortiManager device needs to be ensured. In that case, it is possible to configure the FortiManager as HA ( this step can be used when the old FortiManager can access console / CLI / GUI).

     

  6. If configuring the FortiManager as HA, Central-Management detects the Serial Number as two, then proceed to the step 3 to delete the old FortiManager Serial Number.

Related article
Technical Tip: FortiManager HA setup and troubleshooting
      Terms & ConditionsAccessibility statement