Hi,
We have a Fortinet environment as follows:
Product | Type | Version |
FortiGate | VM64-Azure, 200E, 60E, 60F, 80F | 6.2.9 |
FortiSwitch | 248E | 6.2.3 |
FortiManager | VMware Appliance | 6.2.8 |
FortiAnalyzer | Azure Appliance | 6.2.8 |
FortiClient EMS | Windows Server 2012 R2 (VM) | 6.2.8 |
FortiClient | Windows 10 | 6.2.9 |
We'd like to upgrade all products to the 6.4.x family, but also move FortiManager & FortiClient EMS into Azure, either as VM appliances or as Windows-based VMs where required. I see there is a FortiManager appliance in the Azure Marketplace but nothing for EMS for instance.
Three questions I have:
Firstly (and the big one!), what would be the best approach to this upgrade and migration including the order of events.
Secondly, can we go to higher versions with the management products (FA, FM, maybe EMS?) whilst maintaining support for the FortiGates running 6.4.x?
Depending on the answer to the second question: would there be any benefit in doing this vs sticking with an aligned 6.4.x version?
I will happily provide any further information if it's required.
Thanks in advance!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi, in response to your questions;
Firstly (and the big one!), what would be the best approach to this upgrade and migration including the order of events.
- When upgrading please always follow the release notes and upgrade path tool within the support portal, always keep a copy of the backup file of each version as you step through the process.
- Moving FMG to public cloud can be done, migrating existing packages etc can turn out complicated, if you have the option to start fresh, deploy the FMG in Azure, connect the FGT's to the FMG and import the current configs, this will start the cloud version where you left off with on-prem, then archive and shutdown the on-prem FMG and store for backup.
- You can move the FMG license to cloud, if the IP address of the port1 nic is going to change log a call with customer services prior to the move to have the IP address changed in the license.
Secondly, can we go to higher versions with the management products (FA, FM, maybe EMS?) whilst maintaining support for the FortiGates running 6.4.x?
- Yes, rule of thumb is to run FMG and FAZ the same as your highest FortiOS version or higher, just take note of the older devices you may have that they are still supported within FMG, use this matrix for reference (https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/61c2bba0-a142-11eb-b70b-005056...)
Depending on the answer to the second question: would there be any benefit in doing this vs sticking with an aligned 6.4.x version?
- Yes, additional features and functions come with the later versions of FMG and FAZ, as your FortiOS upgrades they can make use of these options from the management platform.
Created on 01-06-2022 05:31 AM Edited on 01-06-2022 05:32 AM
Thank you so much for the reply.
With that information we will look to attack the upgrade using the following steps:
Does that seem like a solid plan?
If so, I have questions around a number of the steps:
Step 4) How do we perform a like-for-like FMG configuration migration?
Step 5) How do we point the FortiGates to the Azure FMG appliance?
Step 8) Is there an upgrade guide for EMS?
Step 10) How do we migrate the EMS configuration?
Step 11) How do we point the FortiClients to the Azure EMS?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.