This article describes how to replace a FortiGate unit in the FortiManager configuration, following an RMA hardware replacement.This procedure ONLY applies to replacement of a FortiGate with another FortiGate of identical model.(If upgrading a FortiGate to another model, you must add the new unit as a new device)
The procedure is generally for standalone non-HA units and it is not needed to be followed for devices in HA mode.It is not applicable for RMA of master device, as the functional slave unit would be always promoted as the new master device during the failover.A FortiGate slave device is replaced following a regular FortiGate procedure (whether managed by a FortiManager or not). Once replaced, a simple Device Manager "Refresh" Connectivity action is sufficient to have the new serial number displayed within the FortiManager's Device Manager System Information Dashboard.
Solution1) From the FortiManager's Device Manager tab, download the latest Revision History configuration file for the FortiGate unit that is being replaced. This FortiGate configuration will be used to restore on the new replacement device.
2) Edit the FortiGate configuration file, so as to remove the FortiManager's IP address from the "central-management" configuration section (see below). This is necessary in order to avoid the FortiGate unit from registering itself as a ‘new’ device in the FortiManager "Unregistered device" section, once it is restored on the unit:
#config system central-management
unset fmg
3) Restore this modified configuration file directly on the new FortiGate device.
4) Change the original FortiGate recorded serial number on the FortiManager unit, with the new device’s serial number, using the commands below:
#diag dvm device list
#exec device replace sn <device name> <serialnum>
Note: <serialnum> is case-sensitive (letters used in Fortinet product serial #s are capitalized)
5) Perform a Device Manager Connectivity check or Refresh to establish the FGFM management tunnel to the FortiGate. If it fails to establish, the tunnel can be forced by executing the following command on the FortiManager.
#exec fgfm reclaim-dev-tunnel <device name>
Sample Configuration:
FortiGate:
#config system central-management
#unset fmg
FortiManager:
# diagnose dvm device list
--- There are currently 1 devices/vdoms managed ---
TYPE OID SN HA IP NAME ADOM IPS FIRMWARE
fmg/faz enabled 158 FGVM0XXXXXXXXXXX - 10.5.60.3 FGVM0XXXXXXXXXXX root 6.00741 (regular) 5.0 MR4 (7605)
|- STATUS: db: not modified; conf: out of sync; cond: unknown; dm: autoupdated; conn: down
|- vdom:[3]root flags:1 adom:root pkg:[imported] FGVM0XXXXXXXXXXX
# execute device replace sn FGVM0XXXXXXXXXXX FGVM0YYYYYYYYYYY
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.