FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
spathak
Staff
Staff
Description

This article describes how to change the IP Address in Asset Management and re-apply the corrected FortiManager/FortiAnalyzer license file.

 

In some scenarios, the FortiManager/FortiAnalyzer VM may need to be migrated to a new network and assigned new IP address.


When the IP address is changed, the previous license file can no longer be validated. This would disable the GUI and some CLI features, until correct license file is uploaded.

Scope FortiManager/FortiAnalyzer.
Solution

1) Change the IP under FortiCloud Asset Management  (Support Portal).

- Under https://support.fortinet.com/ login with the FortiCloud credentials.

 

- Go to Asset Management - > My Assets, select the device, in the 'Product information' widget, select the 'pen' icon and update the new IP Address.

 

spathak_0-1660222628230.png

 

- Back in the 'Product information' widget, download the new license file from the 'License File Download' hyperlink.

 

spathak_1-1660222680332.png

 

Keep that new '.lic' file where it can be easily accessible.

 

2) Change the IP for management interface:


Go to System Settings - > Network - > Interface - > Edit.

 

spathak_2-1660223862762.png

 

Once updated, select 'OK' to save the changes:

 

Note.

FortiManager will reboot automatically at this point, since the new IP invalidates the old license file.

 

- When FortiManager/FortiAnalyzer boots up, login to GUI with system level admin (i.e. 'Super_User' profile).


3) Upload the new license file when prompted:

spathak_3-1660223928085.png

 

Note:

FortiManager will reboot automatically at this point, since the new license file matches the new IP.

4) Reclaim the FortiGate to FortiManager tunnels.

 

If FortiManager can not initiate the tunnels to the managed FortiGates from its new IP, the below command should be ran in the FortiManager CLI:


# exe fgfm reclaim-dev-tunnel

 

If the FortiGate to FortiManager tunnels become up after running the above command, the new FortiManager IP will be automatically updated on all managed FortiGates.

If some FortiGates are behind NAT and cannot be reached from FortiManager, then use the following FortiGate CLI to update the new FortiManager IP address:


# config system central-management
    set type fortimanager                 
    set fmg xxx.xxx.xxx.xxx <--- IP address of the FortiManager.
  end

 

Troubleshooting:

In case of license issues or errors, run the below command and attach when creating support ticket.

 

# diag debug vminfo

 

For FortiGate-FortiManager connectivity issues, collect the following debugs:

Debug on FortiGate:

# diag debug reset

# diag debug application fgfm 255

# diag debug en

 

Debug on FortiManager:

 

# diag debug reset

# diag debug application fgfm 255 <IP>

# diag debug en

 

To restart the connection from the FortiGate CLI by restarting the 'FGFM' daemon.

 

# fnsysctl killall fgfmd


Related articles for connectivity troubleshooting:

https://community.fortinet.com/t5/FortiAnalyzer/Troubleshooting-Tip-FortiGate-to-FortiAnalyzer-conne...

https://community.fortinet.com/t5/FortiManager/Troubleshooting-Tip-How-to-troubleshoot-connectivity-...

 

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-How-to-migrate-a-FortiAnalyzer-logs-an...

Contributors