FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
dkoprusak
Staff
Staff
Article Id 256170
Description

This article describes how to prepare FortiManager for an upgrade from 6.4 to 7.0, which significantly changes the way configurations work.

Scope FortiManager.
Solution

The upgrade from FortiManager 6.4 to 7.0 introduced SD-WAN configuration changes:

https://docs.fortinet.com/document/fortimanager/7.0.3/sd-wan-configuration-migration/749083/introduc...

 

Unfortunately, due to changes in the updated logic, FortiManager is unable to correctly update the configuration during the upgrade process. This results in 'SD-WAN Provisioning Templates' (successor of former 'SD-WAN Central Management Templates') not reflecting the desired state after the upgrade and must be manually fixed (sometimes completely re-created).

 

This article provides a tool to automate the mentioned configuration process.

 

WARNING: Be aware that it is not technically possible to fully convert the v6 configuration to v7 as some configurations have no exact equivalent.

 

DISCLAIMER: The purpose of the tool usage is to simplify the migration process and it does not guarantee full resolution for every environment, therefore, use it at one's own risk. Before committing to the tool usage, make sure to have valid FortiManager configuration backup files in order to have on option to restore the configuration to the same state as before the tool '-restore' option.

 

The automation task is handled with the FMGTool application:

- It has no dependencies and is intended to be run without any installation.

- It connects to FortiManager through a JSON API and performs actions as specified on the command line.

 

For more detailed information, see the attached 'fmgtool-release-notes.pdf'.

 

Prerequisites for the SD-WAN automation:

- Administrator with JSON API read-write privileges must exist on FortiManager.
- The user running this application has write access to the local filesystem.

- Any computer from which the FortiManager HTTPS management interface is reachable.

 

Usage:

  1. Download the archived FMGTool version based on the operating system (Windows, Linux, MacOS) from this article and extract the archived tool from it.
  2. Execute the application from the COMMAND LINE while having the FortiManager still running v6.4 to export old SD-WAN central management profiles to a local file.

 

./fmgtool -host <FortiManager IP> -user <API admin username> -password <API admin password> workaroundSDWAN70 -file <filename>.xml -collect

 

EXAMPLE:

 

./fmgtool.windows_amd64.exe -host 192.168.10.10 -user APIadmin -password Fortinet01! workaroundSDWAN70 -file SDWANcollect.xml -collect

 

     3. Proceed with the FortiManager upgrade to v7.0.

 

     4. After the upgrade, use the tool again to update SD-WAN profiles based on data in the file created previously. This action will overwrite the relevant profiles on FortiManager.

 

./fmgtool -host <FortiManager IP> -user <API admin username> -password <API admin password> workaroundSDWAN70 -file <filename>.xml -restore

 

NOTE: To simulate central SD-WAN management configuration on 7.0, this tool creates meta fields for interfaces, source IP, and destination IP in SD-WAN Provisioning Templates. This is necessary to allow reusing the same profile for multiple devices. However, on bigger configurations, this can easily fail on the maximum supported number of meta fields (255).

 

To deal with this, there is a -no-default-meta option that avoids creating meta fields for source and destination addresses if those would have no benefit – for example, when only a single device is assigned to a profile, or all assigned devices use the same value.

 

./fmgtool -host <FortiManager IP> -user <API admin username> -password <API admin password> workaroundSDWAN70 -file <filename>.xml -restore -no-default-meta

 

Another automated solution came with FortiManager releases 7.0.8, 7.2.3 and 7.4.0 in the form of built-in CLI command:

diag cdb upgrade force-retry convert-sdwan-mapping

 

When considering using this option, make sure to read the disclaimer printed in the CLI after executing this command. The preferred way of using this conversion is to execute the command after the upgrade from 6.4 via 7.0 to 7.2.3+. This way instead of creating Meta Fields, only Metadata Variables would be created.

 

Related articles:

Technical Tip: New Logic of SD-WAN templates for FMG 7.0 and above

Technical Tip: New Meta Variables and their usage including Jinja scripting