Import config to FortiManager by upload CLI scripts file
- To configure FortiManager
- The output folder
- To import policies and objects
- To troubleshoot script import and execution errors
The example in the procedures uses FortiManager 6.4 and global policies and objects. The procedures are similar for environments that don't use the global feature.
To configure FortiManager
On FortiManager, enable the ADOM feature and create an ADOM for each source domain that you want to migrate.Ensure that all the ADOMs (including the global ADOM) use the same version of FortiOS.
The output folder
The output folder provides a global folder and a folder for each source domain. Both folders contain the subfolder FMGR\
.
Object configuration is located in the FMGR\FWObject\
folder, which contains the following files:
- Several text and HTML files that are used for reporting. They aren't used to import the configuration.
- The text file
config-all
, which contains all the CLI commands for the object configuration. - Text files that duplicate sections of the
config-all
file:addresses
,address groups
,services
,schedules
, and so on. When there are many objects (for example, most environments have many firewall address objects), these sections are divided into multiple, indexed files. To make the import process simpler, Fortinet recommends that you import configurations using the files for individual sections.
Policy scripts are located in policy package folders in \FMGR\Policy
as one or more firewall policy files (config-firewall-policy-1
, config-firewall-policy-2,
and so on).These files are the same content as the conversion output file config-all
in smaller, indexed files that are easier to import.
Configuration which relates to interfaces are located in FMGR\DeviceList\
folder, including interfaces, zones, static routes and dynamic interfaces
configuration.
To import policies and objects
Import to Global Database
- Display the scripts in the panel: from the Policy & Objects page, go to Tools > Display Options > All On.
- Go to the script page: Object Configurations > Script > Scripts.
- Click Import CLI Script and add a script file in the folder
FMGR\FWObject
on the page. Edit the script name, select Policy Package or ADOM Database for the field Run Script On and then click Import to save the script. - On the table of scripts, select the imported script and click Run Script. For those object definition scripts, choose the policy package "default", the imported objects are sharable to all policy packages. Click Run Now to start running the script file.
- If the script fails, click View Details to review error messages. For more information, see To troubleshoot script import and execution errors
- Repeat the script import and run process for all scripts in
the Global\FMGR\FWObject
folder. If there are many address or service objects, there would be multiple scripts because the address file is split and indexed to keep the files at a manageable size.Please import the configuration sections following the order given in the script file name. For example, import file04-config-firewall-address.txt
before importing05-config-firewall-addrgrp.txt
since addresses would be referenced by address groups. - When all the objects are imported, policy packages can be imported. Use the same procedures to import and run the policy scripts using files
config-global-header-policy
andconfig-global-footer-policy
located in theGlobal\FMGR\Policy
folder, which contains a folder for each policy package. - After the scripts have run successfully, review the policies.
- When the policy packages are correct, click Assignment > Add ADOM to assign it to your ADOM. By default, FortiManager assigns the selected policy package to all policy packages in the ADOM.
- To complete the ADOM assignment, on the selected ADOM, click Assign.
- Switch to the assigned ADOM and review the assigned global policies.
For more information on the output folders and files, see The output folder.
Import To ADOMS
- Display the scripts in the panel: on the System Settings page, go to Admin > Admin Settings. Under Display Options on GUI, select Show Script.
- Go to the script page: on the Device Manager page, Click on Scripts.
- Follow steps 3-6 in Import to Global Database to import the firewall object scripts in folder
<domain_name>\FMGR\FWObject
. - When all the objects are imported, please check if there are interfaces referenced in the policies. If policy is needed, please follow the steps in Import To Managed Device and import the interface scripts in folder
<domain_name>\FMGR\DeviceList
. - When the objects and interfaces are imported, policy packages can be imported. If there are multiple policy packages to be imported, go to Policy Packages > Policy Package > New to create new policy packages other than the default one.
- Use the same procedures to import and run the policy scripts using file
config-firewall-policy
located in the<domain_name>\FMGR\Policy
folder, which contains a folder for each policy package. Remember to select the corresponding policy package after clicking Run Script. If there are many policies, there would be multiple scripts because the policy file is split and indexed to keep the files at a manageable size. - If the script fails, click View Details to review error messages. For more information, see To troubleshoot script import and execution errors
- After the scripts have run successfully, review the policies.
To create referenced interfaces on the Policy & Objects page, go to Policy & Objects > Object configurations > Normalized interface > Normalized interface > Create New.
Import To Managed Device
- Follow step 1-2 in Import To ADOMS to enter the script page.
- Click Import CLI Script and add a script file in the folder
FMGR\DeviceList
on the page. Edit the script name, select Device Database for the field Run Script On and then click Import to save the script. - On the table of scripts, select the imported script and click Run Script. Select the device which the script applies to and click Run Now to start running the script file.
- If the managed device names have been inputted during the conversion, then the dynamic interface mapping file
config-dynamic-interface
would be generated. This script maps the interfaces in a managed device to the normalized interfaces in the ADOM database. If the normalized interfaces have not been created in the ADOM database, then this script also creates them. - After the scripts have run successfully, review the imported settings.
For more information on the output folders and files, see The output folder.
To troubleshoot script import and execution errors
FortiConverter inserts error messages in output scripts as comments.
In some cases, the script can't run unless you edit it to correct the errors. Double-click the name of the script in the list of scripts to edit it.
In the following example, the address objects that generate the errors are assigned using the global objects and can be ignored.
If an error occurs during script execution, on the page System Settings, click Task Monitor to view the error message and identify the error. Unlike a FortiGate import, which creates an object up to the point of failure, FortiManager does not create object or policy if the script execution fails.
Double click the records of script failure, and the error message can be found in the column status. For detailed error logs, click View Script Execution History.
Once the cause of the error is identified through the error log, please go back to the script page and fix the script. If the object which cause the problem is unnecessary, you can delete it or use #(hash) at the start of the appropriate lines to convert them to comments. Then, try to run the script again. Repeat the troubleshooting process until the script execution is successful.
If there is no obvious error in the output, try dividing the script into two smaller scripts. If only one script runs successfully, you have narrowed the focus of your troubleshooting to the content of the failed script. To divide a script, right-click it and select Clone. Using the policy numbers to determine and keep track of which policies you delete, edit the files so that they each contain a different section of the script. Then, run both scripts.
Dividing scripts into two or more smaller scripts is also useful if you suspect the length of a script is causing the execution to fail. Scripts that are too long fail without generating an error message.
In some cases, if a script fails, Fortinet recommends that you create a new script instead of editing or deleting it, because sometimes files can remain after you delete it. If you preserve the failed script, you can review it and the error it generates later. In the following example, the following config user server
objects took several attempts to run successfully.