Skip to main content
Jason_ZA
Jason_ZA
Explorer
November 19, 2024
Question

Migrating FortiClient EMS from v7.2.x to v7.4.x issues and learnings

  • November 19, 2024
  • 2 replies
  • 3038 views

Hopefully my pain and suffering, with multiple issues, over the last couple of days will benefit others.

 

1) Make every effort to install the new server in a virtualised environment and take snapshots as often as you can. I landed up reinstalling and rolling back to snapshots more times than I can count.

 

2) If you deploy a minimal install of Ubuntu make sure that logrotate is installed as well otherwise the FortiClientEMS install will fail with no way to start it up again (roll back / reinstall time)

 

3) If you have a code signing certificate on your old server, make sure you remove it before running the migration tool (the migration will fail (I used the v7.4.1 migration tool) with no way to restart the migration (roll back / reinstall time). The migration tool throws a rather useless error (sqlalchemy.exc.DataError: (pyodbc.DataError) ('22001', '[22001] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]String or binary data would be truncated. (8152) (SQLExecDirectW)')) that took me hours to troubleshoot and I couldn't find any answers online related to FEMS migration. I took a chance by removing the cert and it worked. You can add the code signing cert back in to the new server after the migraiton has completed.

 

4) If you're using ZTNA tags make sure you edit one of the tags in the new server and save it otherwise tags don't get applied to endpoints. I didn't reboot the server after the migration, however the migration tool stops all services before the migration and starts them up again after the migration, but the tags weren't working until I edited and saved one of the tags. Then all the tags applied to all endpoints correctly.

 

5) If you use AD auth make sure you know the password for the built-in admin account. AD auth broke for me due to a missing intermediatory certificate (that I can't recall being a requirement in v7.2.x or the migration tool failed to bring the cert across)

 

Having worked with *nix for the last 25 years this process was one of the most painful experiences I've had in a while. Good luck!

2 replies

Jason_ZA
Jason_ZAAuthor
Explorer
November 19, 2024

This isn't an upgrade issue. This is a migration (which happens to be an upgrade as well) from one platform to another. FortiClient EMS prior to v7.4.x was Windows based. All you had to do was run the installer to upgrade.

 

From v7.4.x onwards Fortinet has moved away from Windows and now requires a Linux host and for you to run through their migration process which has issues, hence the post for anybody else who might experience the same issues I had.

Jason_ZA
Jason_ZAAuthor
Explorer
November 20, 2024

Additional issue related to /tmp and /opt being on different partitions.

 

Solution here.

 

Terms & ConditionsAccessibility statement