Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Manually migrating Fortigate Config to Fortimanage...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Manually migrating Fortigate Config to Fortimanager
Hi,
I have a Fortigate firewall managed by Fortimanager, and I built a VPN directly on the firewall, rather than using the Fortimanager VPN manager tool. When I tried to import the updated FGT config into the Fortimanager, There is an issue with ADOM / FGT compatability.
ADOM is version 7.0, and the FGT is 6.4.6. (Im not in a position to upgrade FGT for now).
I can push a policy OK. So basically without being able to sync my changes to the FGM, any policy push, is going to overwrite and wipe the VPN.
Can anyone advise if its possible to take the VPN config, routes, policy etc from FGT.. and copy them in via CLI or script on the Fortimanager? Or is it just a matter of redoing the VPN via FGM VPN manager tool?
The VPN is in production now, so id prefer not impact things if at all possible.
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey FortiDave,
it would be pretty convoluted, true.
Regarding the VPN Manager on FortiManager, yes, it provides roughly the same benefit.
-> it automatically creates the VPN tunnels, routing, interfaces, etc
-> you would have to manually create the policies though
-> if you go for a full-mesh between multiple FortiGates, you only have to add the FortiGates a single time and tunnels will be created automatically between each node
-> https://docs.fortinet.com/document/fortimanager/6.4.0/examples/556949/configuring-a-full-mesh-vpn-to... for example
-> https://docs.fortinet.com/document/fortimanager/6.4.8/administration-guide/770750/overview
Regarding importing the FortiGate again post-upgrade:
- FortiManager should ignore the VPN and only have an interface and policy for it
-> the VPN will NOT show in VPN manager
- if the VPN is not properly mapped to interfaces/policies FortiManager might try to delete it, so check the installation preview carefully
In principle, if you are going to use FortiManager extensively, and are planning to do centralized VPN management with FortiManager, I would suggest recreating the tunnels in FortiManager VPN manager and replacing the configuration existing on FortiGate to get the VPN better integrated into policy packages and central management, but if you just have the few VPNs and don't plan any major changes or additions, you can also just leave it as is.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey FortiDave,
It's not possible to copy the FGT config via CLI to FortiManager.
You could maybe get away with some scripting to ADOM database, but that would be a bit tricky.
You can also manually rebuild the policies in FortiManager to line up with current FortiGate configuration.
The main points would be:
- you need some interface objects in ADOM database that map to the FortiGate VPN interfaces
-> these almost certainly need to be created manually
-> as long as FortiGate updated its own config to FortiManager device manager, you should be able to map the ADOM interface object to the VPN tunnel
-> do you see the tunnel interfaces in Device Manager? If not, you could retrieve the configuration (import to just Device Manager level, no ADOM DB shenanigans)
Once you have the interfaces mapped, everything else should be fairly straightforward
-> ensure you have the policy-relevant objects in place (addresses/users/groups/etc); these should be simple to script by copy&pasting from FGT config
-> either script (not sure if this will work) or manually recreate the VPN policies with the appropriate ADOM interface object (that maps to the FGT VPN interface)
After this, start an installation and check in the Preview what FMG is trying to do; I believe it should NOT try to remove the VPN anymore (given that it's attached to an in-use interface), though it might try to delete and recreate the policies around it
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Debbie, appreciate the detailed response.
Seems a bit confaluted for the time I have. Ill probably just rebuild the VPN from FGM and push / overwrite current config.
Two questions, if you can help..
I like to use the FGT VPN wizard directly on the firewall as it builds the routes, interfaces, policy automatically. Does the VPN Manager on FGM provide the same benefits, or is it a more manual process?
Also, if I was to upgrade the FGT inline with ADOM, and re-import configuration, does all the VPN config / settings migrate nicely, or is there still a manual process involved?
Im trying to gage if it was just a bad idea doing direct on FW, regardess of the ADOM mismatch.
Thanks again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey FortiDave,
it would be pretty convoluted, true.
Regarding the VPN Manager on FortiManager, yes, it provides roughly the same benefit.
-> it automatically creates the VPN tunnels, routing, interfaces, etc
-> you would have to manually create the policies though
-> if you go for a full-mesh between multiple FortiGates, you only have to add the FortiGates a single time and tunnels will be created automatically between each node
-> https://docs.fortinet.com/document/fortimanager/6.4.0/examples/556949/configuring-a-full-mesh-vpn-to... for example
-> https://docs.fortinet.com/document/fortimanager/6.4.8/administration-guide/770750/overview
Regarding importing the FortiGate again post-upgrade:
- FortiManager should ignore the VPN and only have an interface and policy for it
-> the VPN will NOT show in VPN manager
- if the VPN is not properly mapped to interfaces/policies FortiManager might try to delete it, so check the installation preview carefully
In principle, if you are going to use FortiManager extensively, and are planning to do centralized VPN management with FortiManager, I would suggest recreating the tunnels in FortiManager VPN manager and replacing the configuration existing on FortiGate to get the VPN better integrated into policy packages and central management, but if you just have the few VPNs and don't plan any major changes or additions, you can also just leave it as is.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks again Debbie. That really clears a lot up.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you change anything in the config on the FGT and not via FMG you have to da a retrieve config in FMG device manager afterwards to have FMG take over the changes. Otherwise they might indeed be overwritten since deploying a policy package will always also deploy the device config.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,700 -
FortiClient
1,763 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
432 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1713 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.