Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: How to populate new ADOM with objects from an ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to populate new ADOM with objects from an existing ADOM?
I've seem similar questions asked, but never answered adequately, so I thought I would bring it up again.
We are using FGM 5.4, and have an ADOM with all our 5.2 FGT systems, objects and policies. We are about to introduce our first 5.4 FGT into the mix, which means we HAVE to create a new ADOM on the FGM (you can't mix major versions in the same ADOM). So we have created the new (empty) ADOM, and now need to somehow get all our existing objects into it.
One suggestion is to take a new FGT, downgrade it to 5.2, apply policies etc. from the 5.2 ADOM, upgrade the FGT back to 5.4, and then import it into the 5.4 ADOM. Hmmm. This might work if the policy we applied to the downgraded FGT contained ALL of the objects we need to transfer to the new 5.4 ADOM but....
FGM has this wonderful scripting interface, so there has to be (doesn't there??) a way to script dump the objects, policies etc. from our 5.2 ADOM and script import them all into the new 5.4 ADOM. I have looked here, and gone backwards and forwards through the FGM admin and cli manuals, and for the life of me I can't see how it can be done. With 5.4.1 about to appear on the download site, more and more organisations are going to be migrating/upgraded to the 5.4 line of code, and LOTS of people will want to do this. I was hoping that Fortinet would have put a knowledge base article up about this, but I can't see one.
Does anyone have a "howto" on how to do this??
Thanks in advance.
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So just to clarify things, this is what I ended up doing.
Connect to the FMG CLI using a tool like putty.
Set putty to write all the output to a local log file
Chose what objects you want to dump, and what adom you want to dump them from, then use a line like:
execute fmpolicy print-adom-object NZ5-2 140 all
which in my case will dump all the address objects (the 140) out of the adom called NZ5-2. These objects will be dumped to the putty session screen, and captured to the log file. This log file will contain the cli commands necessary to create all the objects you just dumped out.
When the command completes, stop the putty console log, which closes the log file.
Edit the putty log file to remove the command that you typed, which will be at the top of the file.
Also edit the putty log file to remove any commands that won't work during the import stage e.g. any reference to some of the dynamic objects, or where the syntax has changed between the old ADOM version and the new one (e.g. URL address objects). Save the putty log file using a name that means something to you.
Go to the FMG GUI, and select the ADOM you want to import the objects into. Select Device Manager. Click on the "Scripts" menu bar option. Click on Import, and fill out the form to import the edited putty log file you just created. You want to set the "Run Script On" selection to "Policy Package, ADOM Database". click on OK to import the script.
Right click on the script, and select Run, and it will prompt you "Run script on policy package" - select "default". Click OK. This will execute the script in the context of the ADOM, and hopefully it will complete ok. If it fails, you can look at the script log file and you can see where it failed (look at the end of the log file), then edit the script to fix the error and run again. NO items will be imported if the script contains an error, even if the error is on the last command in the script - an error causes the whole script to be rolled back..
You then have to "rinse and repeat" for each of the object types you want to import into the new ADOM.
I hope this helps some others...
Ross
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
To populate new ADOM with objects you may dump content of the old ADOM using the CLI command:
execute fmpolicy print-adom-object ADOM_ID TABLE_ID all
Type question mark after "execute fmpolicy print-adom-object" to list ADOMs with their IDs and then again after choosing an ADOM to see list of objects.
For example:
execute fmpolicy print-adom-object 3 140 all
will list all "firewall address" objects from "root" ADOM
Then use output of this command as CLI script to populate new ADOM.
Alternatively use
execute fmpolicy print-adom-database 3
to dump whole ADOM in a text form and remove parts you don't necessarily need before populating an ADOM.
Best Regards,
Lukasz Korbasiewicz
Fortinet EMEA TAC Level 2
Fortinet NSE7 Certified
To reach support on call:
http://www.fortinet.com/support/contact_support.html
Helpful links:
Lukasz Korbasiewicz,
Fortinet TAC Support
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So just to clarify things, this is what I ended up doing.
Connect to the FMG CLI using a tool like putty.
Set putty to write all the output to a local log file
Chose what objects you want to dump, and what adom you want to dump them from, then use a line like:
execute fmpolicy print-adom-object NZ5-2 140 all
which in my case will dump all the address objects (the 140) out of the adom called NZ5-2. These objects will be dumped to the putty session screen, and captured to the log file. This log file will contain the cli commands necessary to create all the objects you just dumped out.
When the command completes, stop the putty console log, which closes the log file.
Edit the putty log file to remove the command that you typed, which will be at the top of the file.
Also edit the putty log file to remove any commands that won't work during the import stage e.g. any reference to some of the dynamic objects, or where the syntax has changed between the old ADOM version and the new one (e.g. URL address objects). Save the putty log file using a name that means something to you.
Go to the FMG GUI, and select the ADOM you want to import the objects into. Select Device Manager. Click on the "Scripts" menu bar option. Click on Import, and fill out the form to import the edited putty log file you just created. You want to set the "Run Script On" selection to "Policy Package, ADOM Database". click on OK to import the script.
Right click on the script, and select Run, and it will prompt you "Run script on policy package" - select "default". Click OK. This will execute the script in the context of the ADOM, and hopefully it will complete ok. If it fails, you can look at the script log file and you can see where it failed (look at the end of the log file), then edit the script to fix the error and run again. NO items will be imported if the script contains an error, even if the error is on the last command in the script - an error causes the whole script to be rolled back..
You then have to "rinse and repeat" for each of the object types you want to import into the new ADOM.
I hope this helps some others...
Ross
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ross,
That's really nice, detailed step-by-step guide. Thanks for posting it here.
Best Regards,
Lukasz Korbasiewicz
Lukasz Korbasiewicz,
Fortinet TAC Support
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad I could help. What we need now is for Fortinet to pick up this article, add some screen shots and turn it into a knowledge base article. Like a lot of stuff with the Fortinet products, there is a way of doing all sorts of cool stuff, but the manual is very dry and specific, and what we really need is a lot more "howto" type examples that cover the everyday activities that we need to do. The cookbook is a good start, but is nowhere near comprehensive enough.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ross.
Interesting feedback and detailed instructions... now... what about dynamic object mappings? How did you handle those?
I'm in the middle of a similar task: 5.2 ADOM with both 5.2 and 5.4 FGTs (because I started upgrading). As many FGTs will remain on 5.2 (60C), I need to split it up. My plan is this (besides backing up the whole config before starting):
[ol]
What do you think about the above?
BR,
Flavio.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Guys "execute fmpolicy print-adom-object" command output comes without core commands like (config antivirus profile config firewall address etc.) Script doesnt work without there "core" commands. How do you run the script?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FMG 5.4: FMG-VM64-HV # exec fmpolicy print-adom-object root ? id <category name> all "Dump all categories" ... 1420 "antivirus profile" ... 140 "firewall address"
Chris Hall
Fortinet Technical Support
Fortinet Technical Support
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,695 -
FortiClient
1,763 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
432 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1712 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.