Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
Nur
Staff
Staff

Created on ‎12-04-2024 11:58 PM Edited on ‎12-04-2024 11:59 PM By Moderator

Article Id 362510

Techical Tip: Best practice when replacing a FortiManager

Description This article provides the best practice when replacing a FortiManager.
Scope FortiManager and FortiGate.
Solution

When FortiManager and FortiGate are integrated from central-management it detects FortiManager Serial Number

 

Ertiga-kvm09 # config system central-management

Ertiga-kvm09 (central-management) # show
config system central-management
    set type fortimanager
    set serial-number "FMG-VM0AXXXXXXXX"
    set fmg "10.47.X.X"
end

 

When the FortiManager is changed, the Serial Number and source IP will be different from Central-Management. To ensure the FGFM tunnel daemon process runs without any interruption, follow the below steps:

 

  1. Add a New Serial Number from Central-Management and FortiManager's new source IP (FortiGate).

config system central-management
    set type fortimanager
    set serial-number "FMG-VM0A170027XX" "FMG-VMTM190060XX"
    set fmg "10.47.1.XX" "10.47.4.XX"
end

 

If using an old firmware version, the command needs to be used in batch:

 

exe batch start

config system central-management

    set type fortimanager                  

    set serial "FortiManager-Serial-Number"   

    set fmg "FortiManager source-IP"

end

exe batch end

 

  1. Authorize the FortiGate device from the New FortiManager

     

  2. After complete authorization, it is possible to unset the old FortiManager and source IP from Central-Management (use the batch command).

     

    Ertiga-kvm09 # exe batch start

    Enter batch mode...

    Ertiga-kvm09 # config system central-management

    Ertiga-kvm09 # unset serial-number "FMG-VM0A17002722"

    Ertiga-kvm09 # unset fmg "10.X.X.X"

    Ertiga-kvm09 # end

    Ertiga-kvm09 # exe batch end
                          

  3. Then check the status of FGFM using the new FortiManager Serial-Number.

     

    Ertiga-kvm09 # diag fdsm central-mgmt-status
    Connection status: Up
    Registration status: Registered
    Serial: FMG-VMTM190060XX

     

  4. When authorizing FortiGate to New FortiManager, the Policy will not be imported as it is declared as a new device.

     

  5. If it is desired to ensure the policy exists for the new FortiManager device, it is possible to configure the FortiManager as HA ( this step can be used when the old FortiManager can access into console / CLI / GUI).

     

  6. If configuring the FortiManager as HA, Central-Management detects the Serial Number as two, then proceed to the step 3 to delete the old FortiManager Serial Number.
80
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.