Hi, in response to your questions;
Firstly (and the big one!), what would be the best approach to this upgrade and migration including the order of events.
- When upgrading please always follow the release notes and upgrade path tool within the support portal, always keep a copy of the backup file of each version as you step through the process.
- Moving FMG to public cloud can be done, migrating existing packages etc can turn out complicated, if you have the option to start fresh, deploy the FMG in Azure, connect the FGT's to the FMG and import the current configs, this will start the cloud version where you left off with on-prem, then archive and shutdown the on-prem FMG and store for backup.
- You can move the FMG license to cloud, if the IP address of the port1 nic is going to change log a call with customer services prior to the move to have the IP address changed in the license.
Secondly, can we go to higher versions with the management products (FA, FM, maybe EMS?) whilst maintaining support for the FortiGates running 6.4.x?
- Yes, rule of thumb is to run FMG and FAZ the same as your highest FortiOS version or higher, just take note of the older devices you may have that they are still supported within FMG, use this matrix for reference (https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/61c2bba0-a142-11eb-b70b-005056...)
Depending on the answer to the second question: would there be any benefit in doing this vs sticking with an aligned 6.4.x version?
- Yes, additional features and functions come with the later versions of FMG and FAZ, as your FortiOS upgrades they can make use of these options from the management platform.