FAZ and Fabric Migration to Different FAZ Hardware
We've got a small setup with two locations, a FAC, FAZ, and FGT at the main location, and a FGT at the branch location (IPsec connection), set up for 6.0.x security fabric.
I'm replacing the FAZ 200D with a FAZ 200F (so we can be set to move to 6.2.x later) and haven't been able to find consistent documentation on how to move over to it. Would really appreciate any comments or suggestions. Here's what I've worked out so far, which is:
Put both FAZ at 6.0.8, and config the 200F with basic network and different IP
I assume I need to activate registration/license for the new FAZ before proceeding?
From the old FAZ, "exec backup logs all ftp", and also save a non-password protected config to scp/sftp location
Use "exec migrate all-settings" per https://kb.fortinet.com/kb/documentLink.do?externalID=FD41305 to load the old config to the new FAZ, but without any system settings. I'm assuming/hoping that this gets me all the devices without me having to separately export and import devices, but I'm not sure how that's supposed to work if ADOMs don't come over with these settings. Anybody know specifically what this does or doesn't move over?
Restore all the system settings by hand, which looks like it involves not just network settings, but ADOMs, storage settings, all admins and users, remote auth server (we're hooked up to a FAC with RADIUS), CA certs, and more. Any hints on how to best do this would be appreciated.
On the new FAZ, use "exec restore logs all ftp" to pull in the old logs. But I haven't been able to confirm if this command pulls over non-archived logs in the indexed db or if I need to fetch them?[/ul]
After getting the new FAZ set up, the next question is what is the best method for switching the FortiGates to it?
I could set the new FAZ to have the same IP as the old one, but I'm betting the FortiGate would see that as a security error. Or I can point the root FortiGate at the new FAZ IP, which should filter down to the branch FortiGate, though I assume I probably need to also accept it on the FAZ side again? If use the new FAZ IP, I will need to change my security policies for IPsec to allow the logs through to the new IP, etc.
Only after all this is up and stable for a while would I then upgrade the FAZ to 6.2.x.
So, what am I missing and are there easier ways to do this?
Also, will this method bring over my custom reports, custom datasets, custom event handlers, etc.?
Finished this and want to pass on what worked when transferring to different new FAZ hardware.
Put both FAZ at the same firmware version and set up an admin user, IPs and static routes for the new FAZ.
Register the new FAZ license with Fortinet.
exec backup all-settings sftp from the old FAZ.
Enable/Disable ADOMs on the new FAZ to match the old FAZ! Without this migrating settings will bork your setup and you'll need to reset it.
exec migrate all-settings sftp on the new FAZ. This will pull over ADOMs, devices, storage info, custom log views, custom event handlers, reports, charts and datasets.
Migration will not pull over remote auth servers, users, certs, mail settings (even though it pulled over the event handlers that refer to these mail settings), NOC/SOC dashboards, network settings, syslog forwarding, etc.
Config all the above items that were not pulled over
Set up log forwarding from the old FAZ to the new FAZ (or log aggregation if your FAZ supports it - mine didn't).
Under System > Fetcher Management, on the new FAZ, do a request for each ADOM to pull over all the relevant historical devices logs, then confirm the request on the old FAZ. Wait for all the ADOMs to be rebuilt on the new FAZ.
Go to your root FortiGate and set it to point to the new FAZ. Do this from the Security Fabric settings if you use the Fabric.
If you're using the Fabric this will percolate to all the Fortinet devices, if not you need to go to each one and point it to the new FAZ
Change all your other devices (FortiAuthenticator, syslog, etc.) to point to the new FAZ
Leave the old FAZ up for a while to verify it doesn't get logs from something you forgot about.[/ul]