Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Modnet
New Contributor

Fortigate - Migrate managed Fortiswitches and APs to new Fortigate

I have an existing FGT 200E (Standalone).  I just purchased 2 new FGT 200Fs.  I would like to add the new FGT pair to the existing network, and slowly move each FortiSwitch and FortiAP from being managed by the 200E over to being managed by the new 200F pair.  How do I go about adding the new FGTs to the network, and slowly move each device's mgmt over to the new FGTs?  Here is my topology.  Everything in the diagram is existing EXCEPT for the new FGT pair and 1024E switches they connect to.  Those are still in a box waiting to be deployed based on the direction I get here in this post.  

 

Campus Diagram.png

 

Brian Modlin
Brian Modlin
5 REPLIES 5
AEK
SuperUser
SuperUser

It is manly by copying the content of "config switch-controller managed-switch", and any other customized config under "config switch-controller *".

Old FG and new FG should have the same firmware version, and once config migration is done then you can upgrade the firmware of the new one to the recommended version.

Also check this.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommendations-to-migrate-managed-FortiSw...

Hope it helps.

AEK
AEK
kaman
Staff
Staff

Hi,

 

Set Up New FGTs: Connect and configure management IPs for the FGT 200Fs.

Optional HA Setup: If needed, configure HA between the FGT 200Fs.

Migrate FortiSwitches:

Change each FortiSwitch's management to the new FGT 200F.
Verify configuration and test functionality.
Migrate FortiAPs:

Change each FortiAP's management to the new FGT 200F.
Verify configuration and test functionality.
Monitor: Ensure all devices operate correctly under the new management.

Decommission Old FGT: Consider removing the old FGT 200E once migration is complete.

Document Changes: Keep records and back up configurations.

 

 

Modnet
New Contributor

How do I do this:

"Change each FortiSwitch's management to the new FGT 200F.
Verify configuration and test functionality."

 

And, can I have both firewalls managing different switches at the same time?  ALso, how do I do this:


"Change each FortiAP's management to the new FGT 200F.
Verify configuration and test functionality."

Brian Modlin
Brian Modlin
Shashwati
Staff
Staff

Hello,

To migrate Forti Switch from old FW to new FW

 

  • The old FortiSwitch can be de-authorized, deleted and disconnected from the old firewall. Then, after connecting the switch to the new firewall and completing the process to get the FortiSwitch online and managed by the new FortiGate, the 'switch-controller' configuration can be copied from the old firewall to the new firewall. Alternatively, the switch-controller configuration can be copied to the new FortiGate first, even though the FortiSwitch(es) are not yet managed or connected to the new FortiGate. Follow up with the physical connection at the planned time for migration. 
Toshi_Esumi
SuperUser
SuperUser

I would be more concerned about the internet/wan side on the new FGT. To migrate the LAN side step-by-step, both FGTs need to have at least one internet/wan connection. You might be running SD-WAN on the current FGT. But the purpose of those three circuits are the same, I would move at least one of them to the new FGT, so that you can simply copy the wan side config as well as policies toward the internet to the new FGT. The wan interfaces for the circuits left on the current FGT would just stay down.
You don't want to create special path/policies to route the internet traffic from the new FGT back to the current FGT, which need to be removed at the end with some downtime.

Toshi

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors