Technical Tip: Clearing stale FortiGuard package status after device stops using FortiManager as FDS
Description
This article explains how to clear a managed device's stale FortiGuard Package status in FortiManager when the device no longer uses FortiManager as its FortiGuard Server.
Scope
FortiManager.
Solution
When FortiManager is configured as a FortiGuard Server (FDS) for managed devices, it handles the distribution of FortiGuard Packages (IPS, Antivirus, Application Control signatures, etc.). The package status for each device is visible under FortiGuard -> Device Licenses.
If a managed device is later reconfigured to use Public FortiGuard Servers instead of FortiManager, the package status in FortiManager may still show as up-to-date or flagged for update. This is misleading - an administrator viewing the status might assume the device needs a package update and attempt to push it from FortiManager, which will not work since the device is no longer using FortiManager as its FortiGuard Server.
To clear the stale package information, run the following command on the FortiManager CLI:
diagnose fmupdate fgt-del-um-db um2.db
Once executed, the Service Status for the affected device will change to 'Unknown', confirming that FortiManager is no longer managing FortiGuard Packages for that device.
If some devices will still be using FortiManager as a FortiGuard server, their statuses will automatically show correctly once the devices attempt to connect to the FortiGuard Server. On the FortiGates, a manual update can be performed by using the following command:
execute update-now
Related documents: