Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
packetninja
New Contributor

Created on ‎04-18-2024 12:11 AM

FortiMangaer and FGT Hub migration issues considerations/gotchas

Hi,

 

We have one existing cloud tenant where we have one FGT firewall acting as VPN hub and Forti Manager. we have about 8 branches with FortiGate firewalls. All of the firewalls are managed by the Forti Manager in the cloud using private ip addresses that are traversing via VPN tunnels that are currently established using VPN manager of the Forti manager using star topology. (Diagram pasted below)

 

fortigate-hub-spoke.drawio.png

 

Cloud B is new setup and currently isolated. We have to build FortiGate firewall in cloud B to be used as new HUb and we also need to install Forti Manager in cloud B to be used as FortiManager for existing and new set of firewalls.

The problem is I don't understand how do we initiate this and what are the key challenges that we are going to face. 

 

here is my understanding so far and i want anybody to help me send into the right direction. 

 

1. install Fortigate in new cloud

2. Install Forti Manager in new cloud

3. Add FortiGate in new cloud to existing Forti Manager into the VPN topology as second hub so that all firewall will get reachability to new Forti Manager (this will be required for Forti Manager migration (i am not sure if this is possible to have second hub as our current VPN setup is kind of star topology without BGP or ADVPN and all the spoke talk through hub to each other and HQ and the resources in Cloud A. )

4. Once the new firewall in Cloud A has been added to existing FOrti Manager and VPN tunnels are up from each branch to new hub as well as old hub with different protected subnets for each hub, we will take backup of existing Forti manager using exe migrate command and will restore the backup on the new FOrti Manager. 

5. At this point all firewall should have reachability to new Forti Manager IP and new Forti Manager should be able to access all the firewalls. 

6. We will change IP of manager on each firewall to new manager and restart fgfm process to make those firewall start connecting to new Manager. Since all policy data and everything was restored from old Forti Manager there shouldn't be a problem? (please correct me if I am wrong)

 

or we can add Cloud B firewall as spoke if there are challenges of having two hubs in this topology in the current Manager and VPN topology and only advertise Cloud B Manager subnet to other branches and hub this way also we can migrate all firewalls to new FOrti Manager. and later on we can change the role of Cloud B firewall as hub from instead of spoke? is this possible? 

 

I am really lost here please need your help. 

 

Labels:
149
0 Kudos
2 REPLIES 2
Anthony_E
Community Manager
Community Manager

Created on ‎04-21-2024 10:49 PM

Hello packetninja,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
87
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎04-25-2024 04:16 AM

Hello,

 

Here is the answer from one of our experts:

 

"

 

FMG migration, if we focus only on this they could:

-Deploy the new FMG

-Restore the back of the original in the newly deployed

-cut the rechability with the old FMG

-make the new FMG reachable from the FGTs and viceversa

-at this point the FMG should be able to discover the devices --> there might be a problem on the fortigate as they should accept the new FMG serial number and certificate

 

the cleaner way is to get into the devices clear the FMG config and do the rediscover from the FMG or set the new IP of the FMG on the gates.

Anthony-Fortinet Community Team.
33
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.