- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Manually migrating Fortigate Config to Fortimanage...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Manually migrating Fortigate Config to Fortimanager
Hi,
I have a Fortigate firewall managed by Fortimanager, and I built a VPN directly on the firewall, rather than using the Fortimanager VPN manager tool. When I tried to import the updated FGT config into the Fortimanager, There is an issue with ADOM / FGT compatability.
ADOM is version 7.0, and the FGT is 6.4.6. (Im not in a position to upgrade FGT for now).
I can push a policy OK. So basically without being able to sync my changes to the FGM, any policy push, is going to overwrite and wipe the VPN.
Can anyone advise if its possible to take the VPN config, routes, policy etc from FGT.. and copy them in via CLI or script on the Fortimanager? Or is it just a matter of redoing the VPN via FGM VPN manager tool?
The VPN is in production now, so id prefer not impact things if at all possible.
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey FortiDave,
it would be pretty convoluted, true.
Regarding the VPN Manager on FortiManager, yes, it provides roughly the same benefit.
-> it automatically creates the VPN tunnels, routing, interfaces, etc
-> you would have to manually create the policies though
-> if you go for a full-mesh between multiple FortiGates, you only have to add the FortiGates a single time and tunnels will be created automatically between each node
-> https://docs.fortinet.com/document/fortimanager/6.4.0/examples/556949/configuring-a-full-mesh-vpn-to... for example
-> https://docs.fortinet.com/document/fortimanager/6.4.8/administration-guide/770750/overview
Regarding importing the FortiGate again post-upgrade:
- FortiManager should ignore the VPN and only have an interface and policy for it
-> the VPN will NOT show in VPN manager
- if the VPN is not properly mapped to interfaces/policies FortiManager might try to delete it, so check the installation preview carefully
In principle, if you are going to use FortiManager extensively, and are planning to do centralized VPN management with FortiManager, I would suggest recreating the tunnels in FortiManager VPN manager and replacing the configuration existing on FortiGate to get the VPN better integrated into policy packages and central management, but if you just have the few VPNs and don't plan any major changes or additions, you can also just leave it as is.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey FortiDave,
It's not possible to copy the FGT config via CLI to FortiManager.
You could maybe get away with some scripting to ADOM database, but that would be a bit tricky.
You can also manually rebuild the policies in FortiManager to line up with current FortiGate configuration.
The main points would be:
- you need some interface objects in ADOM database that map to the FortiGate VPN interfaces
-> these almost certainly need to be created manually
-> as long as FortiGate updated its own config to FortiManager device manager, you should be able to map the ADOM interface object to the VPN tunnel
-> do you see the tunnel interfaces in Device Manager? If not, you could retrieve the configuration (import to just Device Manager level, no ADOM DB shenanigans)
Once you have the interfaces mapped, everything else should be fairly straightforward
-> ensure you have the policy-relevant objects in place (addresses/users/groups/etc); these should be simple to script by copy&pasting from FGT config
-> either script (not sure if this will work) or manually recreate the VPN policies with the appropriate ADOM interface object (that maps to the FGT VPN interface)
After this, start an installation and check in the Preview what FMG is trying to do; I believe it should NOT try to remove the VPN anymore (given that it's attached to an in-use interface), though it might try to delete and recreate the policies around it
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Debbie, appreciate the detailed response.
Seems a bit confaluted for the time I have. Ill probably just rebuild the VPN from FGM and push / overwrite current config.
Two questions, if you can help..
I like to use the FGT VPN wizard directly on the firewall as it builds the routes, interfaces, policy automatically. Does the VPN Manager on FGM provide the same benefits, or is it a more manual process?
Also, if I was to upgrade the FGT inline with ADOM, and re-import configuration, does all the VPN config / settings migrate nicely, or is there still a manual process involved?
Im trying to gage if it was just a bad idea doing direct on FW, regardess of the ADOM mismatch.
Thanks again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey FortiDave,
it would be pretty convoluted, true.
Regarding the VPN Manager on FortiManager, yes, it provides roughly the same benefit.
-> it automatically creates the VPN tunnels, routing, interfaces, etc
-> you would have to manually create the policies though
-> if you go for a full-mesh between multiple FortiGates, you only have to add the FortiGates a single time and tunnels will be created automatically between each node
-> https://docs.fortinet.com/document/fortimanager/6.4.0/examples/556949/configuring-a-full-mesh-vpn-to... for example
-> https://docs.fortinet.com/document/fortimanager/6.4.8/administration-guide/770750/overview
Regarding importing the FortiGate again post-upgrade:
- FortiManager should ignore the VPN and only have an interface and policy for it
-> the VPN will NOT show in VPN manager
- if the VPN is not properly mapped to interfaces/policies FortiManager might try to delete it, so check the installation preview carefully
In principle, if you are going to use FortiManager extensively, and are planning to do centralized VPN management with FortiManager, I would suggest recreating the tunnels in FortiManager VPN manager and replacing the configuration existing on FortiGate to get the VPN better integrated into policy packages and central management, but if you just have the few VPNs and don't plan any major changes or additions, you can also just leave it as is.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks again Debbie. That really clears a lot up.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you change anything in the config on the FGT and not via FMG you have to da a retrieve config in FMG device manager afterwards to have FMG take over the changes. Otherwise they might indeed be overwritten since deploying a policy package will always also deploy the device config.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Related Posts
- Migration of NAT/PAT rules from a... 76 Views
- Connect Fortigate to internet with 2... 167 Views
- Automation scripts in TCL 86 Views
- FortiSASE SPA Deployment 98 Views
- How to Migrate VLANs to Virtual... 245 Views
Labels
-
FortiGate
6,438 -
FortiClient
1,282 -
5.2
801 -
5.4
639 -
FortiManager
560 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
330 -
FortiAP
325 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
IPsec
63 -
Wireless Controller
57 -
SSL-VPN
52 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
17 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
Traffic shaping
8 -
Virtual IP
8 -
RADIUS
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
NAT
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiAuthenticator
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
Intrusion prevention
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.