Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
farhanahmed
Staff
Staff

Created on ‎04-10-2024 11:46 PM Edited on ‎04-10-2024 11:47 PM By Community Manager

Article Id 309212

Technical Tip: Migrate firewall objects from an unmanaged FortiGate to a FortiGate managed by FortiManager

Description The article explains how to migrate firewall objects (using firewall address objects as an example) from an unmanaged FortiGate (say FGT-A) to a managed FortiGate (say FGT-B) which is being managed by FortiManager.

It is possible to take the list of all firewall objects via FortiGate CLI but there is no automated way to segregate the used objects from the unused ones.
Scope FortiManager, FortiGate.
Solution

There are two ways to achieve this:

 

  1. Via script on the FortiGate directly.
  2. Via script ran on the FortiManager ADOM Database.

 

  1. Via script on the FortiGate directly:
  • Take the output of 'show firewall address' from FGT-A. This will give the list of all objects.

 

1.png

 

  • Select the Download icon to download the config.
  • Remove the 'set uuid xxx' lines from the config file.
    • Open the downloaded file in Notepad++.
    • Go to the search menu, Ctrl + F, and open the Mark tab.
    • Check the Bookmark line (if there is no Mark tab update to the current version).
    • Enter the search term set uuid and select 'Mark All'.
    • All lines containing the search term are bookmarked.
    • Now go to the menu Search -> Bookmark -> Remove Bookmarked lines.

 

  • Copy the whole config starting from 'config firewall address' till the end.

Proceed with caution. Take a backup of the FortiGate config. Running this script will overwrite any existing objects with the same name present on FGT-B.

 

  • Run that copied script pasting it on the CLI of FGT-B.
  • All the address objects are created on the FGT-B.

 

2.png

 

 

3.png

 

 

  1. Via script ran on the FortiManager ADOM Database:

Proceed with caution. Take a backup of the FortiManager config. Running this script will overwrite any existing objects with the same name present on the ADOM which might be used by other FortiGates.
The recommended way is to have the FGT-B in a separate ADOM.

 

  • Go under FortiManager -> Device Manager -> Scripts -> Create New.
  • Create the same script mentioned in the previous section.
  • Select Run Script on 'Policy Package or ADOM Database'. Select OK.

 

4.png

 

 

5.png

 

  • Select any policy package or keep 'default'. Select Run Now.

 

6.png

 

  • This will create all the objects in the FMG ADOM Database. Verify the objects: Policy & Objects > Firewall Objects > Addresses:

7.png

 

  • Use the desired objects in a policy (either directly or using an address group) -> Creating policies
  • Push the config to the FortiGate, this will only push the used objects to the FGT-B without cluttering it with any unused objects: Installing policy packages and device settings
  • In FortiManager -> Policy & Objects > Tools, select 'Find Unused Objects'.

 

8.png

 

 

  • Select the unwanted objects and select 'Delete' (cannot delete the default objects).

 

9.png

 


Related articles:

Technical Tip: Creation and addition of bulk IP address objects.

Technical Tip: How to export VIP, address, services, ippool objects into Excel or CSV format .
166
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.