Description
This article describes how to upgrade an ADOM on FortiManager and how to perform basic troubleshooting in case of an ADOM upgrade failure.
Scope
FortiManager versions between 5.4.x and 7.4.x.
Solution
Prerequisites and Notes:
ADOM upgrade requires system level administrator permissions and access to the respective ADOM/s (eg., Super_User admin profile).
In the firmware versions within the scope of this article (5.4.x to 6.4.x), an ADOM can only be upgraded after all the devices within this ADOM have been upgraded.
Starting in FortiManager 7.0.1, the ADOM version can be upgraded without first updating all devices and the ADOM can manage N+1 devices during migration. This is something called mixed mode or migration mode.
Starting in FortiManager 7.4.2, it is possible to have one ADOM in 7.4 that can manage FortiOS in 7.0, 7.2, and 7.4.
When a FortiManager unit is upgraded, ADOMs are not upgraded automatically.
The ADOM upgrade operations have to be done separately after the FortiManager upgrade.
Although it is possible to manage FortiGates with different versions within the same ADOM, there are a few limitations:
The same view in CLI:
Select 'OK' in the confirmation dialog box to upgrade the device.
In the above/below picture the ADOM has been successfully upgraded.
The new ADOM version is then displayed in the 'Firmware Version' column.
Under version 6.4 and above select the ADOM that will be upgraded and go to More -> Upgrade
If all units within the ADOM are not already upgraded, the upgrade will be stopped and an error message will be shown.
The example below illustrates the failed ADOM upgrade: 'Please upgrade all devices to 5.6 before upgrading the ADOM'.
These CLI commands will help to localize and identify the root cause of the problem that prevents to upgrade of the ADOM.
In most cases, removing the concerned object/profile/interface allows to fix the issue and successfully upgrade the ADOM.
Another scenario can happen: many errors are preventing to upgrade of the ADOM.
Find the first error, then fix it and try to upgrade the ADOM: without success. In such a case, use the same method and CLI commands to identify the object/profile/interface causing the problem.
If the concerned object is used and/or important in the configuration (cannot be modified), contact Fortinet support for further assistance.
The ADOM upgrade debugging will always stop on the concerned error.
Below are some examples of FortiManager debugging after a failed ADOM upgrade:
Example 1:
--> commit copy firewall address.autoupdate.opera.com(soid=149) to dparent=1227, fail: err=-2, Name conflicts with an entry in wildcard FQDN address
name: autoupdate.opera.com ---> autoupdate.opera.com
subnet: 0.0.0.0 0.0.0.0 ---> 0.0.0.0 0.0.0.0
type: fqdn ---> fqdn
start-ip: 0.0.0.0 ---> 0.0.0.0
end-ip: 0.0.0.0 ---> 0.0.0.0
fqdn: autoupdate.opera.com ---> autoupdate.opera.com
associated-interface: any ---> any
wildcard: 0.0.0.0 0.0.0.0 ---> 0.0.0.0 0.0.0.0
cache-ttl: 0 ---> 0
color: 0 ---> 0
visibility: enable ---> enable
uuid: 2fe03af0-43b8-51ea-1233-d6844b291acd ---> 2fe03af0-43b8-51ea-1233-d6844b291acd
allow-routing: disable ---> disable
obj-id: 0 --->
Explanations of the previous error: By default, in 6.0 ADOM some firewall addresses have the same name as wildcard FQDN i.e.: 'autoupdate.opera.com', 'google-play', etc.
When upgrading to 6.2, it will hit the newly added check of not allowing firewall address to have the same name as a wildcard FQDN.
Only the 'Upgrade' option should be used for upgrading the Global Database to a higher version.
If the Global Database version is edited (modified) by selecting 'Edit' and then selecting either a higher or lower version, all data is deleted.
Related documents:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.