Skip to main content
FortiDave
FortiDave
Explorer
May 19, 2022
Solved

Manually migrating Fortigate Config to Fortimanager

  • May 19, 2022
  • 2 replies
  • 4892 views
Hi,
 
I have a Fortigate firewall managed by Fortimanager, and I built a VPN directly on the firewall, rather than using the Fortimanager VPN manager tool. When I tried to import the updated FGT config into the Fortimanager, There is an issue with ADOM / FGT compatability.
 
ADOM is version 7.0, and the FGT is 6.4.6. (Im not in a position to upgrade FGT for now).
 
I can push a policy OK. So basically without being able to sync my changes to the FGM, any policy push, is going to overwrite and wipe the VPN.
 
Can anyone advise if its possible to take the VPN config, routes, policy etc from FGT.. and copy them in via CLI or script on the Fortimanager? Or is it just a matter of redoing the VPN via FGM VPN manager tool?
 
The VPN is in production now, so id prefer not impact things if at all possible.
Best answer by Debbie_FTNT

Hey FortiDave,

it would be pretty convoluted, true.

 

Regarding the VPN Manager on FortiManager, yes, it provides roughly the same benefit.

-> it automatically creates the VPN tunnels, routing, interfaces, etc
-> you would have to manually create the policies though

-> if you go for a full-mesh between multiple FortiGates, you only have to add the FortiGates a single time and tunnels will be created automatically between each node

-> https://docs.fortinet.com/document/fortimanager/6.4.0/examples/556949/configuring-a-full-mesh-vpn-topology-within-a-vpn-console for example
-> https://docs.fortinet.com/document/fortimanager/6.4.8/administration-guide/770750/overview

 

Regarding importing the FortiGate again post-upgrade:
- FortiManager should ignore the VPN and only have an interface and policy for it

-> the VPN will NOT show in VPN manager

- if the VPN is not properly mapped to interfaces/policies FortiManager might try to delete it, so check the installation preview carefully

 

In principle, if you are going to use FortiManager extensively, and are planning to do centralized VPN management with FortiManager, I would suggest recreating the tunnels in FortiManager VPN manager and replacing the configuration existing on FortiGate to get the VPN better integrated into policy packages and central management, but if you just have the few VPNs and don't plan any major changes or additions, you can also just leave it as is.

2 replies

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
May 19, 2022

Hey FortiDave,

It's not possible to copy the FGT config via CLI to FortiManager.

You could maybe get away with some scripting to ADOM database, but that would be a bit tricky.

You can also manually rebuild the policies in FortiManager to line up with current FortiGate configuration.

The main points would be:
- you need some interface objects in ADOM database that map to the FortiGate VPN interfaces

-> these almost certainly need to be created manually

-> as long as FortiGate updated its own config to FortiManager device manager, you should be able to map the ADOM interface object to the VPN tunnel

-> do you see the tunnel interfaces in Device Manager? If not, you could retrieve the configuration (import to just Device Manager level, no ADOM DB shenanigans)

 

Once you have the interfaces mapped, everything else should be fairly straightforward

-> ensure you have the policy-relevant objects in place (addresses/users/groups/etc); these should be simple to script by copy&pasting from FGT config

-> either script (not sure if this will work) or manually recreate the VPN policies with the appropriate ADOM interface object (that maps to the FGT VPN interface)

 

After this, start an installation and check in the Preview what FMG is trying to do; I believe it should NOT try to remove the VPN anymore (given that it's attached to an in-use interface), though it might try to delete and recreate the policies around it

FortiDave
FortiDaveAuthor
Explorer
May 19, 2022

Thanks Debbie, appreciate the detailed response.

 

Seems a bit confaluted for the time I have. Ill probably just rebuild the VPN from FGM and push / overwrite current config.

 

Two questions, if you can help..

 

I like to use the FGT VPN wizard directly on the firewall as it builds the routes, interfaces, policy automatically. Does the VPN Manager on FGM provide the same benefits, or is it a more manual process?

 

Also, if I was to upgrade the FGT inline with ADOM, and re-import configuration, does all  the VPN config / settings migrate nicely, or is there still a manual process involved?

 

Im trying to gage if it was just a bad idea doing direct on FW, regardess of the ADOM mismatch.

 

Thanks again. 

Debbie_FTNT
Staff & Editor
Debbie_FTNTAnswer
Staff & Editor
May 19, 2022

Hey FortiDave,

it would be pretty convoluted, true.

 

Regarding the VPN Manager on FortiManager, yes, it provides roughly the same benefit.

-> it automatically creates the VPN tunnels, routing, interfaces, etc
-> you would have to manually create the policies though

-> if you go for a full-mesh between multiple FortiGates, you only have to add the FortiGates a single time and tunnels will be created automatically between each node

-> https://docs.fortinet.com/document/fortimanager/6.4.0/examples/556949/configuring-a-full-mesh-vpn-topology-within-a-vpn-console for example
-> https://docs.fortinet.com/document/fortimanager/6.4.8/administration-guide/770750/overview

 

Regarding importing the FortiGate again post-upgrade:
- FortiManager should ignore the VPN and only have an interface and policy for it

-> the VPN will NOT show in VPN manager

- if the VPN is not properly mapped to interfaces/policies FortiManager might try to delete it, so check the installation preview carefully

 

In principle, if you are going to use FortiManager extensively, and are planning to do centralized VPN management with FortiManager, I would suggest recreating the tunnels in FortiManager VPN manager and replacing the configuration existing on FortiGate to get the VPN better integrated into policy packages and central management, but if you just have the few VPNs and don't plan any major changes or additions, you can also just leave it as is.

sw2090
SuperUser
sw2090
SuperUser
May 20, 2022

if you change anything in the config on the FGT and not via FMG you have to da a retrieve config in FMG device manager afterwards to have FMG take over the changes. Otherwise they might indeed be overwritten since deploying a policy package will always also deploy the device config.

    Terms & ConditionsAccessibility statement