Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bamather
New Contributor

How do you do major upgrades to new version?

I have the following and working on upgrading to 6.4 from 6.2. This is my first major upgrade and not sure the best way to go about it.

  • FortiGate's on 6.2

  • FortiEMS & client 6.4

  • FAZ - 6.4 (with 6.2 adom)

  • FMG - 6.4 (with 6.2 adom)

My questions are.

  1. If I upgrade the FortiGate from 6.2 to 6.4 I will lose access to control with FMG until I upgrade the ADOM correct?

  2. Should I create a new 6.4 ADOM in FMG and remove the FortiGate from 6.2 adom and add to 6.4 adom after I update it? All my custom objects will have to be recreated if I create a new adom?

  3. Or do you update all the FortiGate's (30 in my case) and then upgrade the adom?

  4. I want to upgrade them in a slow order (as we have people traveling on site). To get all 30 upgraded will take a couple months. Will it hurt to have the 6.4 Fortigate running on a 6.2 ADOM within FMG?

2 REPLIES 2
sw2090
Honored Contributor

1.  I recommend using the upograde path fortinet gives you to not loose anything or screw anything!

2. You do not loose the connection to FMG but you might not be able to deploy to 6.4. FGT unless you upgrade the adom. The adom though can only be upgraded if all FGT that are in it are upgraded to 6.4.

 

So upgrade your FGT to 6.4 accoarding to the recommended upgrad path and do not deploy t them with FMG yet

Once all FGT are upgraded upgrade the adom to 6.4

Now you can deploy again.

 

I did that way to upgrade from 6.0 zo 6.2 and from 6.2. to 6.4 (and in nearer Future I'll do 6.4 to 7.0) and it always worked fine.

I once asked TAC about this but the only other solution they had was to creade a new 6.4. adom and transfer upgraded FGT to it. Which was no solution for me because you cannot transfer the policy package to annother adom.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Debbie_FTNT
Staff
Staff

Hey bamather,

sw2090 already provided most of the answer.

In addition:

- you can keep the 6.4 FortiGates in the 6.2 ADOM

- you will not be able to push policy packages though (but scripts will still work)

- the FortiGates might show as out of sync/unknown/AutoUpdate, as there will be changes in CLI settings that the 6.2 ADOM can't handle

- you can't add new 6.4 FortiGates to the 6.2 ADOM

 

You could move the FortiGates to a new 6.4 ADOM, but you would have to import policy packages from the FortiGates again to build the ADOM database, and any objects that are NOT in use would not exist in the ADOM database (so you would have to manually copy them over)

There are ways to copy objects from one ADOM to another, but they are not the easiest.
See this KB for example: https://community.fortinet.com/t5/FortiManager/Technical-Note-How-to-move-objects-to-new-ADOM-on-For...
There is also a CLI command:
https://docs.fortinet.com/document/fortimanager/6.4.8/cli-reference/43841/fmpolicy#fmpolicy_clone-ad...

As an example, copying firewall address 'win-server-2019' from root VDOM to a different one:

Debbie_FTNT_0-1652712893823.png

But there is no easy bulk clone/move/copy option that I'm aware of.


If you're familiar with FortiManager API and scripting you could leverage that to get all the objects from one ADOM and then post them to another, but are there are no ready-made tools that I know of, sorry.

All of this is of course only a concern if there are specific changes you need to make while the FortiGates are being upgraded; if the already upgraded FortiGates don't require additional configuration/changes while in the 6.2 ADOM, you can just proceed with the upgrades as scheduled and then upgrade the ADOM once all FortiGates are at 6.4.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++