Dear Community,
I need to decommission a FortiGate Cluster from FortiManager and before that, I would like to explore the recovery process when deleting it from Device Manager panel and the Policy Package.
1. is there any feature to backup/export all device settings (including advanced settings like dynamic interface binding) ir order to fast recovery in case of future demand (reinstall the cluster, audit..)?
2. Related to Policy Package, creating a new ADOM revision is the only and best practice to be used as recovery? or there is any chance to backup/recovery the Policy package related to this cluster only?
The goal here is to created secure points/fast recovery related to all settings from Device Manager and Policy Package to this individual Cluster only.
We know the FMG backups haven the entire settings for all devices but will take so long to be activated touching config for all devices and also there are considerable impacts during the procedure (set FMG as standalone, deactivate mgtm channel to all 60 FortiGates…and so on) that does not make sense for only 1 FGT cluster.
For final, in order to release FMG licenses immediately before delete it, is there any possibility to deactivated (not delete) the cluster?
#fortimanager #fmg
Any input is welcome and since now tks!
Solved! Go to Solution.
Hello,
The easiest way is to download the Fortigate revision from device manager. It is a full backup of the Fortigate that includes the configuration and the policies.
Hello @betodejj ,
There is no recovery process to retrieve the config once deleted the device from the Device Manager for Device Database. FMG backup only stored for managed devices only.
For Policy Package, even the device has been deleted from Device Manager, the Policy Package will remain stored in FMG backup config. In case need to use again the same Policy Package, the previous device deleted need to added back to FortiManager and edit the install target for the device.
Lastly, there is no deactivate functionality in FMG.
Hi @smkml ,
Thanks for the input here but the question here are the actions that can be done before delete the device in Device Manager Panel and also before delete the Policy Package and have a fast recovery point for Device Manager settings and Policy Package.
Let’s assume that I have deleted both (Device in Device Manager and Policy Package) and for some reason I need to rebuild/recovery the deleted FGT Cluster including Device Manager settings and Policy Package… please what are my options?
so far as I know, FMG backups are the only source that have the complete Device configurations and Policy Package BUT the procedure to rollback forces us to rollback the entire FMG config (impacting hundreds of mgmt devices) in order to rollback a single FGT Cluster…does not make sense to me.
I do see ADOM revisions as an option for the policy package here (creating a new revision and lock).. but it is still a huge action impacting the whole ADOM just because only 1 Policy Package..please is there any other option in order to backup this specific Policy Package only before delete it that can be used as recovery point?
Also, Device Manager Settings does not have revisions to be used but we could use the export tool in order to export the Mgmt Devices there BUT the export in json format does NOT include advanced configs like dynamic interfaces binding and so one.... that means.. deleting the FGT Cluster there I have no chance to rollback otherwise rollback the entire FMG config...
I will be happy to have your comments again, tks!
Hi @betodejj ,
There is an option to dump part of the ADOM DB or the whole DB except the backup that you could make.
https://docs.fortinet.com/document/fortimanager/7.4.2/cli-reference/43841/fmpolicy
Example:
gargamel-fmg-esx46 # execute fmpolicy print-adom-object 3 140 all
Dump all objects for category [firewall address] in adom [root]:
---------------
config firewall address
edit "SSLVPN_TUNNEL_ADDR1"
...
Best,
Created on 01-03-2024 02:49 AM Edited on 01-03-2024 02:50 AM
Hi @asrour, tks for the input here!
FGT revision is a good idea but how about the rebuild process?
It forces us to install a new FGT cluster, including reachability, push the backup revision and then perform a new scan and import the Policies into a new Policy Package.
Also, it will force us to rebuild manually all FMG advanced Device Settings like dynamic interfaces binding and so on… right?
What I am understanding here is that FMG does not provide a good/fast option to recovery settings from Device Manager and Policy Package when deleted… it will take time in case you need to to rebuild something even with the revision on hands..
I was looking for something more friendly and fast via FMG where we could backup/export a specific Policy Package and all Device Settings (including advanced) for a specific FGT Cluster and rebuild it in fast way.
Please if you know another and fast procedure to rebuild the revision backup in FMG I will be happy to have your comments!
a revision form FortiManger DeviceManager is just the same as if you took a backup on your Fortigate.You can simply use that to do a restore on your Fortigate and it does have its complete config back. However it would still have to be re-added to FMG and with that all the mappings will have to be redone in FMG before rolling it out again.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
when you import the Policies to Fortimanager, the mapping will be automatically created in Fortimanager
as far as I experienced FMG will only do interface mappings (normalized interfaces) upon importing a policy packag from a FGT but it will not do address object mappings. And if you have more than one FGT in an adom that uses that object you will need them.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.