Technical Tip: How to replace a FortiGate unit in the FortiManager configuration, following an RMA hardware replacement

jdvorak · ‎10-15-2013

Description

This article describes how to replace a FortiGate unit in the FortiManager configuration, following an RMA hardware replacement.

This procedure ONLY applies to the replacement of a FortiGate with another FortiGate of the same model. (If upgrading a FortiGate to another model, add the new unit as a new device.)

The procedure is generally for standalone non-HA units, and it does not need to be followed for devices in HA mode.

It is not applicable for RMA ofthe primary device, as the functional secondary unit would always be promoted as the new primary device during the failover.

A FortiGate secondary device is replaced following a regular FortiGate procedure (whether managed by a FortiManager or not). Once replaced, a simple Device Manager "Refresh" Connectivity action is sufficient to have the new serial number displayed within the FortiManager's Device Manager System Information Dashboard.

Scope

FortiManager.

Solution

From the FortiManager's Device Manager tab, download the latest Revision History configuration file for the FortiGate that is being replaced. This FortiGate configuration will be used to restore on the new replacement device.
Edit the FortiGate configuration file to remove the FortiManager's IP address from the "central-management" configuration section (see below). This is necessary to avoid the FortiGate from registering itself as a ‘new’ device in the FortiManager 'Unregistered device' section, once it is restored on the unit:

config system central-management

unset fmg

end

Restore this modified configuration file directly on the new FortiGate.
Change the original FortiGate recorded serial number on the FortiManager, with the new device’s serial number, using the commands below:

diagnose dvm device list

execute device replace sn <device name> <serial number>

Note:

The <serial number> is case-sensitive. Letters used in Fortinet product serial numbers are capitalized.

Perform a Device Manager Connectivity check or Refresh to establish the FGFM management tunnel to the FortiGate. If it fails to establish, the tunnel can be forced by executing the following command on the FortiManager.

execute fgfm reclaim-dev-tunnel <device name>

Sample Configuration:

FortiGate:

config system central-management

unset fmg

end

FortiManager:

diagnose dvm device list
--- There are currently 1 devices/vdoms managed ---

TYPE            OID    SN               HA      IP              NAME                                 ADOM                                 IPS                FIRMWARE
fmg/faz enabled 158    FGVM0XXXXXXXXXXX -       10.5.60.3       FGVM0XXXXXXXXXXX                     root                                 6.00741 (regular) 5.0 MR4 (7605)
                |- STATUS: db: not modified; conf: out of sync; cond: unknown; dm: autoupdated; conn: down
                |- vdom:[3]root flags:1 adom:root pkg:[imported] FGVM0XXXXXXXXXXX

execute device replace sn FGVM0XXXXXXXXXXX FGVM0YYYYYYYYYYY <Device name:FGVM0XXXXXXXXXXX> <Serial number: FGVM0YYYYYYYYYYY>

Note:

Make sure to follow the syntax 'exec device replace sn <device name> <serial number> '

FMG # execute device replace sn <device_name> <FGTXXXXXXXXXXXXX>
<Enter>

Technical Tip: How to replace a FortiGate unit in the FortiManager configuration, following an RMA hardware replacement

You are leaving our website