Skip to main content
rosswakelin
rosswakelin
New Member
May 17, 2016
Solved

How to populate new ADOM with objects from an existing ADOM?

  • May 17, 2016
  • 1 reply
  • 14115 views

I've seem similar questions asked, but never answered adequately, so I thought I would bring it up again.

We are using FGM 5.4, and have an ADOM with all our 5.2 FGT systems, objects and policies. We are about to introduce our first 5.4 FGT into the mix, which means we HAVE to create a new ADOM on the FGM (you can't mix major versions in the same ADOM). So we have created the new (empty) ADOM, and now need to somehow get all our existing objects into it. 

One suggestion is to take a new FGT, downgrade it to 5.2, apply policies etc. from the 5.2 ADOM, upgrade the FGT back to 5.4, and then import it into the 5.4 ADOM.  Hmmm.  This might work if the policy we applied to the downgraded FGT contained ALL of the objects we need to transfer to the new 5.4 ADOM but....

FGM has this wonderful scripting interface, so there has to be (doesn't there??) a way to script dump the objects, policies etc. from our 5.2 ADOM and script import them all into the new 5.4 ADOM.  I have looked here, and gone backwards and forwards through the FGM admin and cli manuals, and for the life of me I can't see how it can be done.  With 5.4.1 about to appear on the download site, more and more organisations are going to be migrating/upgraded to the 5.4 line of code, and LOTS of people will want to do this.  I was hoping that Fortinet would have put a knowledge base article up about this, but I can't see one.

Does anyone have a "howto" on how to do this??

Thanks in advance.

    Best answer by rosswakelin

    So just to clarify things, this is what I ended up doing.

    Connect to the FMG CLI using a tool like putty.

    Set putty to write all the output to a local log file

    Chose what objects you want to dump, and what adom you want to dump them from, then use a line like:

     

    execute fmpolicy print-adom-object NZ5-2 140 all

     

    which in my case will dump all the address objects (the 140) out of the adom called NZ5-2. These objects will be dumped to the putty session screen, and captured to the log file.  This log file will contain the cli commands necessary to create all the objects you just dumped out.

    When the command completes, stop the putty console log, which closes the log file.

     

    Edit the putty log file to remove the command that you typed, which will be at the top of the file.

    Also edit the putty log file to remove any commands that won't work during the import stage e.g. any reference to some of the dynamic objects, or where the syntax has changed between the old ADOM version and the new one (e.g. URL address objects). Save the putty log file using a name that means something to you.

     

    Go to the FMG GUI, and select the ADOM you want to import the objects into. Select Device Manager. Click on the "Scripts" menu bar option.  Click on Import, and fill out the form to import the edited putty log file you just created.  You want to set the "Run Script On" selection to "Policy Package, ADOM Database".  click on OK to import the script.

    Right click on the script, and select Run, and it will prompt you "Run script on policy package" - select "default".  Click OK.  This will execute the script in the context of the ADOM, and hopefully it will complete ok.  If it fails, you can look at the script log file and you can see where it failed (look at the end of the log file), then edit the script to fix the error and run again.  NO items will be imported if the script contains an error, even if the error is on the last command in the script - an error causes the whole script to be rolled back..

    You then have to "rinse and repeat" for each of the object types you want to import into the new ADOM.

     

    I hope this helps some others...

     

    Ross

     

    1 reply

    lkorbasiewicz_FTNT
    Staff
    lkorbasiewicz_FTNT
    Staff
    May 17, 2016

    Hello,

     

    To populate new ADOM with objects you may dump content of the old ADOM using the CLI command:

     

    execute fmpolicy print-adom-object ADOM_ID TABLE_ID all

     

    Type question mark after "execute fmpolicy print-adom-object" to list ADOMs with their IDs and then again after choosing an ADOM to see list of objects.

    For example:

     

    execute fmpolicy print-adom-object 3 140 all

     

    will list all "firewall address" objects from "root" ADOM

    Then use output of this command as CLI script to populate new ADOM.

     

    Alternatively use

     

    execute fmpolicy print-adom-database 3

    to dump whole ADOM in a text form and remove parts you don't necessarily need before populating an ADOM.

     

    Best Regards,

    Lukasz Korbasiewicz

    Fortinet EMEA TAC Level 2

    Fortinet NSE7 Certified

    To reach support on call:

    http://www.fortinet.com/support/contact_support.html

     

    Helpful links:

    http://kb.fortinet.com

    http://video.fortinet.com

    http://docs.fortinet.com

    rosswakelin
    rosswakelinAuthorAnswer
    New Member
    May 18, 2016

    So just to clarify things, this is what I ended up doing.

    Connect to the FMG CLI using a tool like putty.

    Set putty to write all the output to a local log file

    Chose what objects you want to dump, and what adom you want to dump them from, then use a line like:

     

    execute fmpolicy print-adom-object NZ5-2 140 all

     

    which in my case will dump all the address objects (the 140) out of the adom called NZ5-2. These objects will be dumped to the putty session screen, and captured to the log file.  This log file will contain the cli commands necessary to create all the objects you just dumped out.

    When the command completes, stop the putty console log, which closes the log file.

     

    Edit the putty log file to remove the command that you typed, which will be at the top of the file.

    Also edit the putty log file to remove any commands that won't work during the import stage e.g. any reference to some of the dynamic objects, or where the syntax has changed between the old ADOM version and the new one (e.g. URL address objects). Save the putty log file using a name that means something to you.

     

    Go to the FMG GUI, and select the ADOM you want to import the objects into. Select Device Manager. Click on the "Scripts" menu bar option.  Click on Import, and fill out the form to import the edited putty log file you just created.  You want to set the "Run Script On" selection to "Policy Package, ADOM Database".  click on OK to import the script.

    Right click on the script, and select Run, and it will prompt you "Run script on policy package" - select "default".  Click OK.  This will execute the script in the context of the ADOM, and hopefully it will complete ok.  If it fails, you can look at the script log file and you can see where it failed (look at the end of the log file), then edit the script to fix the error and run again.  NO items will be imported if the script contains an error, even if the error is on the last command in the script - an error causes the whole script to be rolled back..

    You then have to "rinse and repeat" for each of the object types you want to import into the new ADOM.

     

    I hope this helps some others...

     

    Ross

     

    lkorbasiewicz_FTNT
    Staff
    lkorbasiewicz_FTNT
    Staff
    May 18, 2016

    Hi Ross,

     

    That's really nice, detailed step-by-step guide. Thanks for posting it here.

     

    Best Regards,

    Lukasz Korbasiewicz

    Terms & ConditionsAccessibility statement