Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sixarm
New Contributor

Upgrade Advice from 6.2.x to 6.4.x and Migrate to Azure

Hi,

 

We have a Fortinet environment as follows:

 

ProductTypeVersion
FortiGateVM64-Azure, 200E, 60E, 60F, 80F6.2.9
FortiSwitch248E6.2.3
FortiManagerVMware Appliance6.2.8
FortiAnalyzerAzure Appliance6.2.8
FortiClient EMSWindows Server 2012 R2 (VM)6.2.8
FortiClientWindows 106.2.9

 

We'd like to upgrade all products to the 6.4.x family, but also move FortiManager & FortiClient EMS into Azure, either as VM appliances or as Windows-based VMs where required. I see there is a FortiManager appliance in the Azure Marketplace but nothing for EMS for instance.

 

Three questions I have:

 

Firstly (and the big one!), what would be the best approach to this upgrade and migration including the order of events.

 

Secondly, can we go to higher versions with the management products (FA, FM, maybe EMS?) whilst maintaining support for the FortiGates running 6.4.x?

 

Depending on the answer to the second question: would there be any benefit in doing this vs sticking with an aligned 6.4.x version?

 

I will happily provide any further information if it's required.

 

Thanks in advance!

2 REPLIES 2
aback
Staff
Staff

Hi, in response to your questions;

 

Firstly (and the big one!), what would be the best approach to this upgrade and migration including the order of events.

 

- When upgrading please always follow the release notes and upgrade path tool within the support portal, always keep a copy of the backup file of each version as you step through the process.

- Moving FMG to public cloud can be done, migrating existing packages etc can turn out complicated, if you have the option to start fresh, deploy the FMG in Azure, connect the FGT's to the FMG and import the current configs, this will start the cloud version where you left off with on-prem, then archive and shutdown the on-prem FMG and store for backup.

- You can move the FMG license to cloud, if the IP address of the port1 nic is going to change log a call with customer services prior to the move to have the IP address changed in the license.

 

 

 

Secondly, can we go to higher versions with the management products (FA, FM, maybe EMS?) whilst maintaining support for the FortiGates running 6.4.x?

 

- Yes, rule of thumb is to run FMG and FAZ the same as your highest FortiOS version or higher, just take note of the older devices you may have that they are still supported within FMG, use this matrix for reference (https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/61c2bba0-a142-11eb-b70b-005056...)

 

 

 

Depending on the answer to the second question: would there be any benefit in doing this vs sticking with an aligned 6.4.x version?

 

- Yes, additional features and functions come with the later versions of FMG and FAZ, as your FortiOS upgrades they can make use of these options from the management platform.

 

sixarm
New Contributor

Thank you so much for the reply.

 

With that information we will look to attack the upgrade using the following steps:

 

  1. Upgrade existing FAZ appliance in Azure from 6.2.8 to 6.4.7.
  2. Upgrade existing on-premise FMG appliance from 6.2.8 to 6.4.7.
  3. Deploy new 6.4.7 FMG appliance in Azure.
  4. Migrate on-premise configuration to Azure FMG appliance.
  5. Configure FortiGates to be managed by new Azure FMG appliance.
  6. Upgrade FortiGates from 6.2.9 to 6.4.8.
  7. Upgrade FortiSwitches to aligned version.
  8. Upgrade existing on-premise FortiClient EMS from 6.2.8 to 6.4.7.
  9. Deploy new 6.4.7 FortiClient EMS in Azure.
  10. Migrate on-premise configuration to EMS in Azure.
  11. Configure FortiClients to be managed by new EMS in Azure.
  12. Upgrade FortiClients from 6.2.9 to 6.4.7.

Does that seem like a solid plan?

 

If so, I have questions around a number of the steps:

 

Step 4) How do we perform a like-for-like FMG configuration migration?

Step 5) How do we point the FortiGates to the Azure FMG appliance?

Step 8) Is there an upgrade guide for EMS?

Step 10) How do we migrate the EMS configuration?

Step 11) How do we point the FortiClients to the Azure EMS?