Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
tnesh
Staff & Editor
Staff & Editor

Created on ‎12-30-2022 02:43 AM Edited on ‎12-02-2025 01:48 AM By Community Manager

Article Id 241472

Technical Tip: Migrating FortiManager/FortiAnalyzer to a different platform

 

Description

This article describes how to migrate FortiManager or FortiAnalyzer to a different platform.

These article's steps are intended for migration between different platforms such as a different hardware model, different VM environments, or from hardware to a VM.
Scope FortiManager, FortiAnalyzer.
Solution

Note:

In the case of migrating between VM environments, 'exec restore' can be used instead of 'exec migrate' to load the configuration.  This allows for system settings to be copied over. The license can run on 2 systems at the same time for a grace period of 7 days.

  1. Have the necessary, valid licenses prepared (for VMs).
  2. System-level settings will not be migrated (when using 'exec migrate'). For example: Network settings, administrator profiles, users, etc.
  3. Before starting the migration, verify that the target platform has equal or larger disk storage capacity and ADOM/device limits than the source, migrating to a device with lower capacity may silently truncate logs or prevent full report/analytics data restoration.
  4. After completing the migration to a new platform, confirm that all the needed system-level settings have also been manually configured.
  5. When the original and target platforms are the same, use standard backup recovery instead to retain all of the settings.
  6. This article will migrate from FortiAnalyzer-200F to FortiAnalyzer-KVM as an example. 

 

Config migration:

  1. Take a backup of the current configuration:
  • GUI: Go under Dashboard -> System Information widget -> System Configuration -> Backup.

 

fmg-backup-config.png

 

  • CLI:

 

execute backup all-settings {ftp | sftp} <ip:port> <path/filename> <username> <password> <crptpasswd>

 

  • For example:

 

execute backup all-settings sftp 192.168.1.100:22 /home/fortinet/Downloads/ username password backup-file-pwd
Starting backup all settings in background, Please wait.

# Starting transfer the backup file to SFTP server...
Transferred 172.386M of 172.386M in 0:00:10s (16.262M/s)
Backup all settings...Ok.
MD5: 318724e725f0050ec071bd86cd89a11d

 

Note: 

It is mandatory to enter the password <crptpasswd> for the backup file in the latest firmware version.

 

  1. In the current device, go to the GUI, go to System Settings -> Network -> DNS -> Change the IP to any dummy IP address to prevent it from resolving.


Note:

This step is only applicable when migrating between VM platforms.

 

tnesh_0-1672365301458.png

 

  1. Deploy a new Virtual Machine instance with the same firmware version as the current device.
  2. Once the new instance is up, configure the system-level settings:
    • Network interface.
    • Same Management IP Address to avoid requesting a New license.
    • Same DNS IPs as the old instance if in the same network.
    • Don't forget to add the FortiAnalyzer/FortiManager IPs in firewall policies to access the FortiGuard Server.
    • Static route.
    • Enable ADOM (if applicable).

 

  1. Download the license file from the support portal.

    Technical Tip: How to reuse FortiManager/FortiAnalyzer VM license

  2. In the new instance, log in to the GUI and upload the license file:
  • v7.4.x and above, go under dashboard -> License Information -> VM License -> Upload the downloaded license file in step (5).
  • v7.2.x and below, go under System Settings -> Dashboard -> License Information -> VM License -> Upload the downloaded license file in step (5).

 

tnesh_1-1672368696679.png

 

  1. Migrate the data and settings from the old instance to the new instance (System-level settings will not be migrated):
  • v7.4.3 and above: go under Dashboard -> System Information widget -> System Configuration -> Restore -> Migrate.

fmg-migrate-config.png

 

  • v7.4.2 and below:

 

execute migrate all-settings <ftp/scp/sftp> <server ip> <path/filename> <username> <password> <crptpasswd>

 

  • For example:

 

execute migrate all-settings sftp 192.168.1.100:22 /home/fortinet/Downloads/backup.dat username password backup-file-pwd

This operation will replace the current databases and reboot the system.
Make sure the following are true:
- This model has higher/equal capability than the backup, e.g.
device/adom limit, disk storage size.
- The backup database version is the same as the current version.
You may upgrade to a newer version after, but downgrade is NOT supported.
Do you want to continue? (y/n)y

Starting transfer the backup file from SFTP server...
Transferred 172.386M of 172.386M in 0:00:02s (60.163M/s)

 

  1. At this stage, a new instance will be running with the migrated settings from the old device:


Logs and reports migration: 

Technical Tip: Backup and restore of FortiAnalyzer settings, logs and reports

 

  1. Backup logs from the old FortiAnalyzer to the FTP server:

 

execute backup logs <device name(s)| all> <ftp/sftp/scp> <ip> <user name> <password> <directory>

execute backup reports <report name or all> <ftp/sftp/scp> <ip> <user name> <password> <directory>

 

  1. Restore the logs from the FTP server into the new FortiAnalyzer:

 

execute restore logs <device name(s)| all> <ftp/sftp/scp> <ip> <user name> <password> <directory>

execute restore reports <report name or all> <ftp/sftp/scp> <ip> <user name> <password> <directory>

 

  1. Rebuild the SQL database in the new FortiAnalyzer. The following command will reboot FortiAnalyzer, and the database rebuild process will run in the background.

 

  • Rebuild database:

 

execute sql-local rebuild-db

 

  • Check rebuild status:

 

diagnose sql status rebuild-db

 

  1. Once the database rebuild has been completed, navigate to LogView and verify the analytics logs.

 

Update FortiGate configuration settings:

  • Point FortiGate to the new instance with the steps below and restart the respective FortiGate daemon.

 

For FortiAnalyzer:

  1. Run the following CLI command in FortiGate to point it to the new instance:

 

execute batch start

    config log fortianalyzer setting

        set server <<new FAZ IP address>>

        set serial <<new FAZ serial number>>

end
execute batch end

 

  1. Run the following CLI command in FortiGate to restart the daemon:

 

fnsysctl killall miglogd

 

For FortiManager:

  1. Run the following CLI command in FortiGate to point it to the new instance:

 

execute batch start

    config system central-management

        set fmg <<new FMG IP address>>

        set serial-number <<new FMG serial number>>

end

execute batch end

 

  1. Run the following CLI command in FortiGate to restart the daemon:

 

fnsysctl killall fgfmd

  1. Run the following CLI command in FortiManager to reclaim the FGFM tunnel:

 

execute fgfm reclaim-dev-tunnel   --> For all managed FortiGates.

execute fgfm reclaim-dev-tunnel <device_name> force --> For specific FortiGate.

 

Note:

When a large number of FortiGates need to be migrated, using the original FortiManager to run a CLI script to change the central-management IP and serial number would be useful. The CLI script should be run with the target as 'Remote FortiGate Directly (via CLI)'.

 

Related article:

Technical Tip: Using exec migrate to migrate to a new FortiAnalyzer/FortiManager model

Technical Tip: How to migrate a FortiAnalyzer logs and config to a new system after RMA or a FortiAn...
17482
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.