|
To achieve the FortiNAC migration, it is necessary to perform the following steps:
- 'FortiNAC must be using perpetual Endpoint licenses (Support Type = License Support). To confirm, log in to the Customer Portal (https://support.fortinet.com) and review the Entitlements section for the Manager.' (Source: Overview FortiNAC v9.4.0).
- Recommend patching the CentOS version before upgrading CentOS FortiNAC firmware (this step requires rebooting the standalone FortiNAC):
yum -y update
-
Upgrade the single VM CentOS FortiNAC from 9.2.6 to 9.2.8 GA to meet the upgrade requirements. Check the single appliance overview.
If concerned by one of the firmwares specified in the single appliance overview, skip this step.
-
Contact Customer Service to have the Endpoint license contracts moved to the new serial number (Transfer Endpoint License Entitlements).
-
It is necessary to create a new FortiNAC-OS next to the CentOS FortiNAC with the same specs, running software Firmware vF7.2.2 or greater for the migration tools (Appliance Installation).
-
The FortiNAC-OS must be registered with next next-generation license ('FNC-CAX-VM').
-
Configure the management IP for FortiNAC-OS via CLI (Appliance configuration).
-
Import the 'FNC-CAX-VM' license to the newly deployed FortiNAC-OS (FortiNAC-F).
-
Then, configure the ConfigWizard for FortiNAC-OS.
-
Copy the bundleCentOSMigration tool from the FortiNAC-OS to CentOS FortiNAC.
-
Gather the configuration and database of the CentOS FortiNAC server.
-
Migrate the gathered logs from CentOS to the new FortiNAC-OS Server (Cutover to New Appliance).
Important note:
It is recommended to take a VM snapshot before each upgrade or migration step.
- Upgrade the single VM CentOS FortiNAC from v9.2.6 to v9.2.8 GA to meet the upgrade requirements.
- Select System -> Settings.
- Expand the Updates folder.
- Select System from the tree.
- Go to the System Update Settings section of the screen, and make sure Product Distribution Directory: Version_9_2 if it is desired to upgrade from v9.2 to the latest v9.2.x.
- Then select Download.
- After the software file has been downloaded, select the Install button and Install Firmware v9.2.8 GA.
-
The system has been upgraded to v9.2.8 GA:
-
Now, after the upgrade of legacy FortiNAC, build a new FortiNAC-OS VM with the same resources as the CentOS VM:
-
Download the FortiNAC-F v7.2.5 GA from the support portal based on the hypervisor used. In this case, the OVA file 'FNAC_ESX-v7-build0101-FORTINET.ova' was downloaded.
Upload the license File to the new FortiNAC-F VM and proceed with the initial configuration:
-
Then, apply the initial configuration and reboot the VM.
-
The new FortiNAC-F is running FortiNAC-OS, and the Appliance Type is FNVXCA:
-
Copy the bundleCentOSMigration tool from the FortiNAC-OS to CentOS to create a compatible backup with FortiNAC-OS:
scp /path/to/file username@<CentOS eth0 IP>:/path/to/destination
fnac-f:~$ scp /bsc/campusMgr/bin/bundleCentOSMigration root@192.168.108.46:/bsc/campusMgr/bin
Important Note:
There is a bundleCentOSMigration embedded with CentOS FortiNAC Firmware v9.2.8 GA. However, it is necessary to overwrite the native bundle in CentOS with the v7.2.5 bundle using the scp command above. If the native bundle is used, it will show the following error when restoring on FortiNAC-OS:
Error migrating configuration: Bundle was created with an incompatible Firmware of the "bundleCentOSMigration" script
Please create a new migration bundle using the script available on this system
Note: FortiNAC agent communication on version 9.2.8 and below worked on port 4567 without certificates. This is no longer supported; hence, during the migration, check this document FortiNAC - Persistent Agent Deployment and Configuration Version 7.2 F, for more information.
-
Now run the command bundleCentOSMigration command to back up the CentOS FortiNAC and wait for the Done message to be completed.
The resulting file is written to the /root directory using the naming convention centos-backup-<year>_<month>_<day>_<hr>_<min>_<sec>.zip.
Example below:
Bundling migration archive
zip warning: name not matched: /bsc/campusMgr/.licenseKeyHW
adding: bsc/campusMgr/bin/.cm_config (deflated 31%)
Done.
Archive is named centos-backup-2024_01_02_12_50_39.zip
bundleCentOSMigration
-
Copy the CentOS backup .zip file to the new appliance. Log in to the FortiNAC-OS appliance CLI as admin and type:
fnac-f # execute enter-shell
fnac-f:~$ scp root@<CentOS eth0 IP address>:/root/<centos backup zip file> ./
Now shut down the CentOS FortiNAC VM and proceed with the Migration (Would recommend taking a VM snapshot at this stage) (Cutover to New Appliance).
Exit the shell:
fnac-f:~$ exit
fnac-f # execute restore legacy-migrate local centos-backup-2024_01_02_12_50_39.zip
Successfully migrated configuration. System will now reboot shortly.
After the reboot, the FortiNAC-OS appliance will now have the CentOS appliance's IP address(es).
Log in to the FortiNAC-OS Administration UI using standard credentials with https://<CentOS IP>:8443.
Review the Dashboard to ensure the information is correct (the hostname has been migrated to the new FortiNAC-OS VM):
Note:
Like other FortiOS products, the required service ports should be enabled using the appropriate interface below.
Otherwise, FortiNAC NacOS will discard the traffic that comes from a service that was not enabled under the interface.
For example, if SNMP is not enabled under port1, FortiNAC NacOS discards any SNMP MAC Notification traps or SNMP Link Up/Down traps.
config system interface
edit port1
set ip 192.168.0.202/24
set allowaccess dhcp dns fsso http-adminui https-adminui nac-agent nac-ipc ping radius radius-acct radius-local snmp ssh syslog
next
edit port2
set allowaccess dhcp dns http https nac-agent ping snmp ssh syslog
next
end
|
