Description
This article describes how to replace FortiGate with a different model in FortiManager.
Scope
FortiManager.
Solution
As explained in the article Technical Note: How to replace a FortiGate unit in the FortiManager configuration, following an RMA ..., when replacing a managed FortiGate with a different model, the new FortiGate must be added as a new device to FortiManager. This is necessary due to different interfaces and other hardware specific configurations in the different FortiGate platforms.
Usually, the first step is to migrate the configuration from the old to the new FortiGate using FortiConverter, as described in: Technical Tip: How to load/convert a FortiGate configuration file from one unit to another (file con...
Once the configuration is loaded onto the new FortiGate and confirmed working, the new unit can be added into FortiManager.
One of the following options can be used to recreate the mapping and push the ADOM/Global configuration:
- Use Import Configuration -> Import Policy Package to import the Policies and Objects of the converted configuration into a separate/new Policy Package. See this article: Technical Tip: Import from device to ADOM.
Since the configuration of the new FortiGate is essentially the same as the old one, during the import operation FortiManager will auto-create per-device mappings for the Normalized Interfaces and the shared ADOM objects.
To better understand the per-device mappings, see: Technical Tip: Per-Device mapping behavior.
Note: If the old FortiGate configuration contains certain FortiManager-created objects that cannot be directly imported (like Global policies and objects, Policy Blocks, VPN Manager context, Templates, etc), then this newly imported policy package should not be installed back as it will delete these elements. In such a case, the new FortiGate should be set as the installation target of the old Policy Package, added as a new gateway in the respective VPN Manager community, have the metadata variables mapped manually, and assigned to the relevant Provisioning Templates, depending on the features used.
- The second option is to manually create the per-device mappings for the new FortiGate, then assign the old Policy Package (and provisioning templates, if used).
This option might be more convenient if no dynamic objects are used in the ADOM, and per-device mapping is only needed for a limited number of Normalized interfaces.
The final step is to use Install Wizard -> Install Policy Package & Device Settings to push the policies and objects to the new FortiGate unit.
Note: Before installation, make sure to carefully check the Install Preview for unexpected changes.
