Fortimanager for uppgrading some fortigates

Nik · ‎02-22-2022

Hi,

We have a lot of fortigates and we want to upgrade these but doing it manually requires a lot of time and we are looking at deploying a fortimanager to do the upgrade automatically. I have a question though about this.

If we add the fortigates on the fortimanager, I assume we wont be able to manage them locally! Does the fortigate keeps the previous configuration after we add them on fortimanager or does the fortimanager wipe it out?
What happens with fortigates if lets say, after the upgrade is done, we want to remove them from the fortimanager and shut it down (the fortimanager). Will the fortigates still continue to have the same configuration after the removal?

Thanks in advance.

BR

rculler · ‎02-23-2022

A few things on Fortigates and Manager.
1) You can still manage a Fortigate locally even with it attached to Manager - you get a warning on the Fortigate when you log in but it still works.
2) The Fortimanager will pull the config of the Fortigate and store it on itself and give you the ability to import policies etc.
3) If you remove a Fortigate from Manager it retains it's config. (On the Fortigate itself you disable Fortimanager management and connection)
4) Depending on the model and firmware versions of your Fortigates you may run into issues with version support on the manager. Make sure you check the device model and firmware compatibility of your oldest Fortigates and the firmware version you are wanting to upgrade to. Your manager will need to support the entire group.
5) If you have multiple major versions of firmware on your Fortigates you will have to add them to an appropriate ADOM Version on the manager and then upgrade the ADOM version as you update Fortigates to the next major version.
6) Lastly using the Manager to do the updates may not save you any time and may cause more issues vs having to upgrade them directly. I have been involved in many Fortigate firmware updates that in some instances required as many as 5 separate firmware update to get to a desired version and manager didn't handle the updates well. We found that when you have multiple models and different major and minor versions on them that it was sometimes faster to do it manually on the device.

Make sure you check the "FortiOS Version Upgrade Path tool" on the support site under Download Firmware Images. It will give you the exact upgrade path for each device based on model, current firmware version and desired version (Follow that path or you could end up with a lot of issues on the devices themselves and with Manager)

XPERTSGold2021 · ‎02-28-2022

Ron just knocked it out of the park here. A few notes:

1) You can select different installation targets in FortiManager (FMGR) to install differing variables, as in gateway IP's, to different devices but using the same security policy packages. This means you are able to push global updates to ALL devices in your ADOM's all while retaining disparate dynamic objects.
2) Be very careful when upgrading firmware in FMGR. I have see them fail due to upgrade path differences. Check that path. Differences between firmware can really piss you off when you go to upgrade in FMGR. Check the bugs in your resting firmware. Make sure it will suite your needs without the extra stress of "figuring it out" on the fly.
3) It may suck for advanced Fortigate users, but for novice or tier I analysts, use the FMGR to make changes. You can set an approval process where changes need to be approved before pushing. But using FMGR for administration is awesome. It keeps everyone accountable with revision histories. No one is stepping on anyone else.

Hope this helps and good luck!

David, NSE 5
Green Cloud Defense
XPERTS-EAST Gold Winner 2021