Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ad
New Contributor

FG on 5.6 ADOM on 5.4

Hi All,

 

As i start upgrading Fortigates, i'll be in an interim configuration where some of the firewalls are on 5.6, but the ADOM is still  on 5.4. What limitations are there in this configuration?

 

Is it still possible to provision new VDOMs on a 5.6 firewall?

Can I still pull migrated policy from a newly created VDOM on a 5.6 firewall?

 

Thanks

2 Solutions
Alexis_G
Contributor II

You are supposed not to use FMG with the upgraded in 5.6 FGTs (push policy).

If meanwhile upgrading all Fortigates there are some in 5.6 and some other in 5.4, you could directly edit policies in 5.6 FGTs and when  finally you upgrade ADOM then you can retrieve configuration and policies from all FGTs.

Hope it helps

 

--------------------------------------------

If all else fails, use the force !

View solution in original post

sw2090
Honored Contributor

I have done similar but from 5.6 to 6.0. Unfortunately FMG is screwed up on this. The only way to do this and not do anything completely anew is the way you wrote. Even TAC agrees with this but does not recommend it

When I did this I completely lost all interface mappings in FMG first. TAC found a way to re-apply a backup to get them back. Still this sucks majorly. Seems to be a case Fortinet did not really consider :\

 

The recommended way would be to remove the FGT from the Adom, upgrade it and put it into a new admon for the new firmare version. But this would require me to redo 100s of interface and address mappings and also it would create a load of useless policy packages. Also I would have to redo the complete default policy package for the new adom since you cannot export or import it. This is not what I understand in central management....


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

2 REPLIES 2
Alexis_G
Contributor II

You are supposed not to use FMG with the upgraded in 5.6 FGTs (push policy).

If meanwhile upgrading all Fortigates there are some in 5.6 and some other in 5.4, you could directly edit policies in 5.6 FGTs and when  finally you upgrade ADOM then you can retrieve configuration and policies from all FGTs.

Hope it helps

 

--------------------------------------------

If all else fails, use the force !

sw2090
Honored Contributor

I have done similar but from 5.6 to 6.0. Unfortunately FMG is screwed up on this. The only way to do this and not do anything completely anew is the way you wrote. Even TAC agrees with this but does not recommend it

When I did this I completely lost all interface mappings in FMG first. TAC found a way to re-apply a backup to get them back. Still this sucks majorly. Seems to be a case Fortinet did not really consider :\

 

The recommended way would be to remove the FGT from the Adom, upgrade it and put it into a new admon for the new firmare version. But this would require me to redo 100s of interface and address mappings and also it would create a load of useless policy packages. Also I would have to redo the complete default policy package for the new adom since you cannot export or import it. This is not what I understand in central management....


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams