Skip to main content
jdvorak
Staff
jdvorak
Staff
October 16, 2013

Technical Tip: How to replace a FortiGate unit in the FortiManager configuration, following an RMA hardware replacement

  • October 16, 2013
  • 0 replies
  • 55052 views

Description

 

This article describes how to replace a FortiGate unit in the FortiManager configuration, following an RMA hardware replacement. 

This procedure ONLY applies to the replacement of a FortiGate with another FortiGate of the same model. (If upgrading a FortiGate to another model, add the new unit as a new device.)The procedure is generally for standalone non-HA units, and it does not need to be followed for devices in HA mode.
It is not applicable for RMA of the primary device, as the functional secondary unit would always be promoted as the new primary device during the failover.
A FortiGate secondary device is replaced following a regular FortiGate procedure (whether managed by FortiManager or not).  Once replaced, a simple Device Manager "Refresh" Connectivity action is sufficient to have the new serial number displayed within FortiManager's Device Manager System Information Dashboard.
 
Scope
 
FortiManager.


Solution

 

  1. From the FortiManager's Device Manager tab, download the latest Revision History configuration file for the FortiGate that is being replaced. This FortiGate configuration will be used to restore on the new replacement device.
  2. Edit the FortiGate configuration file to remove FortiManager's IP address from the 'central-management' configuration section (see below). This is necessary to avoid the FortiGate from registering itself as a 'new' device in the FortiManager 'Unregistered device' section, once it is restored on the unit:

 

config system central-management

    unset fmg

end

 

  1. Restore this modified configuration file directly on the new FortiGate.
  2. Change the original FortiGate recorded serial number on the FortiManager with the new device’s serial number, using the commands below:

 

diagnose dvm device list

execute device replace sn <device name> <serial number> 

 

Note:

The <serial number> is case-sensitive. Letters used in Fortinet product serial numbers are capitalized.

 

  1. Perform a Device Manager Connectivity check or Refresh to establish the FGFM management tunnel to the FortiGate.  If it fails to establish, the tunnel can be forced by executing the following command on the FortiManager.

 

execute fgfm reclaim-dev-tunnel <device name> 

 

Sample Configuration:

 

FortiGate:

 

config system central-management

    unset fmg

end

 

FortiManager:

 

diagnose dvm device list
--- There are currently 1 devices/vdoms managed ---

TYPE            OID    SN               HA      IP              NAME                                 ADOM                                 IPS                FIRMWARE
fmg/faz enabled 158    FGVM0XXXXXXXXXXX -       10.5.60.3       FGVM0XXXXXXXXXXX                     root                                 6.00741 (regular)  5.0 MR4 (7605)
                |- STATUS: db: not modified; conf: out of sync; cond: unknown; dm: autoupdated; conn: down
                |- vdom:[3]root flags:1 adom:root pkg:[imported] FGVM0XXXXXXXXXXX

execute device replace sn FGVM0XXXXXXXXXXX FGVM0YYYYYYYYYYY  <Device name:FGVM0XXXXXXXXXXX> <Serial number: FGVM0YYYYYYYYYYY>

 

Note:

Make sure to follow the syntax 'execute device replace sn <device name> <serial number>'.

 

execute device replace sn <device_name> <FGTXXXXXXXXXXXXX>
<Enter>

 

The GUI method has been included in FortiManager v7.2 and later releases:

To replace a managed device, there is a swap option: 

  1. Select the managed device that will be replaced from the device list.
  2. Select 'More' from the upper toolbar and select 'Swap device' from the drop-down list.

 

Swap-1.jpg

 

  1. Insert the new serial, admin, and password.

     

 

Swap-2.jpg

    Terms & ConditionsAccessibility statement