Fortinet black logo

Administration Guide

Home FortiManager 7.4.2 Administration Guide
7.4.2
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.6
6.2.5
6.2.3
6.2.2
6.2.1
6.2.0
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.10
5.2.7
5.2.6
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
4.3.8
4.3.7
4.3.6
4.3.5
4.3.4
4.3.3
4.3.2
4.3.1
4.3.0
4.2.9
4.2.8
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2.0
4.1.0
4.0.3
4.0.2
4.0.1
4.0.0

Appendix C - Re-establishing the FGFM tunnel after VM license migration

Appendix C - Re-establishing the FGFM tunnel after VM license migration

When migrating a FortiManager to a new license type, the serial number associated with the FortiManager is also changed. This impacts the FGFM (FortiGate to FortiManager) tunnel that exists between FortiManager and its managed FortiGate devices.

Depending on how the FortiGate was initially added to the FortiManager (through the FortiManager or through the FortiGate), you may need to manually update the username and password of FortiGate devices in the FortiManager database before the FGFM tunnel can be re-established.

Follow the steps below to re-establish the FGFM connection with managed FortiGate devices.

FGFM connection established through FortiManager

If the device was added from the FortiManager using the Add Device wizard, after the migration the FortiManager will automatically have the correct device's username and password and the FGFM tunnel can be immediately re-established.

To re-stablish the FGFM tunnel:

  1. In the FortiManager CLI, execute the following to bring the tunnel up:

    execute fgfm reclaim-dev-tunnel

    Tooltip

    If the execute fgfm reclaim-dev-tunnel fails to establish a connection between the FortiManager and one or more FortiGate device, it is likely because the FGFM connection was originally established through the FortiGate for those devices. See FGFM connection established through FortiGate.

FGFM connection established through FortiGate

If the FGFM tunnel was initialized through the FortiGate, and FortiManager was used to promote (authorize) the device, the FortiManager may not have the device's administrator username and password. You can configure the credentials required for the FGFM tunnel through the FortiManager GUI, CLI, or through the FortiGate CLI. See Step 1: Configure the FGFM credentials

After updating the FGFM credentials, perform the execute fgfm reclaim-dev-tunnel command to bring the tunnel up. See Step 2: Re-establish the FGFM tunnel.

Step 1: Configure the FGFM credentials

Configure the FGFM credentials through one of the following methods:

To configure the FGFM credentials using the FortiManager GUI:

  1. Log in to the FortiManager.

  2. In the GUI, go to Device Manager, select the FortiGate device in the list of managed devices, and click Edit.

  3. Update the FGFM credentials by using a valid super admin account for the FortiGate.

  4. Click OK.

  5. Repeat this process for each FortiGate that needs to be updated.

To update the device's FGFM credentials in the CLI:

  1. In the FortiManager CLI, enter the following commands:

    execute device replace user <device name> <user>

    execute device replace pw <device name> <password>.

  2. Repeat this process for each FortiGate that needs to be updated.

To configure the device's FGFM credentials in the FortiGate CLI:

  1. In the FortiGate CLI, enter the following command:

    execute central-mgmt register-device <FMG Serial Number> <FGT admin password>.

  2. Repeat this process for each FortiGate that needs to be updated.

Step 2: Re-establish the FGFM tunnel
To re-establish the FGFM tunnel after the FGFM credentials are updated:

  1. Enter the following command in the FortiManager CLI to re-establish the FGFM tunnel:

    execute fgfm reclaim-dev-tunnel

Previous
Next

Appendix C - Re-establishing the FGFM tunnel after VM license migration

When migrating a FortiManager to a new license type, the serial number associated with the FortiManager is also changed. This impacts the FGFM (FortiGate to FortiManager) tunnel that exists between FortiManager and its managed FortiGate devices.

Depending on how the FortiGate was initially added to the FortiManager (through the FortiManager or through the FortiGate), you may need to manually update the username and password of FortiGate devices in the FortiManager database before the FGFM tunnel can be re-established.

Follow the steps below to re-establish the FGFM connection with managed FortiGate devices.

FGFM connection established through FortiManager

If the device was added from the FortiManager using the Add Device wizard, after the migration the FortiManager will automatically have the correct device's username and password and the FGFM tunnel can be immediately re-established.

To re-stablish the FGFM tunnel:

  1. In the FortiManager CLI, execute the following to bring the tunnel up:

    execute fgfm reclaim-dev-tunnel

    Tooltip

    If the execute fgfm reclaim-dev-tunnel fails to establish a connection between the FortiManager and one or more FortiGate device, it is likely because the FGFM connection was originally established through the FortiGate for those devices. See FGFM connection established through FortiGate.

FGFM connection established through FortiGate

If the FGFM tunnel was initialized through the FortiGate, and FortiManager was used to promote (authorize) the device, the FortiManager may not have the device's administrator username and password. You can configure the credentials required for the FGFM tunnel through the FortiManager GUI, CLI, or through the FortiGate CLI. See Step 1: Configure the FGFM credentials

After updating the FGFM credentials, perform the execute fgfm reclaim-dev-tunnel command to bring the tunnel up. See Step 2: Re-establish the FGFM tunnel.

Step 1: Configure the FGFM credentials

Configure the FGFM credentials through one of the following methods:

To configure the FGFM credentials using the FortiManager GUI:

  1. Log in to the FortiManager.

  2. In the GUI, go to Device Manager, select the FortiGate device in the list of managed devices, and click Edit.

  3. Update the FGFM credentials by using a valid super admin account for the FortiGate.

  4. Click OK.

  5. Repeat this process for each FortiGate that needs to be updated.

To update the device's FGFM credentials in the CLI:

  1. In the FortiManager CLI, enter the following commands:

    execute device replace user <device name> <user>

    execute device replace pw <device name> <password>.

  2. Repeat this process for each FortiGate that needs to be updated.

To configure the device's FGFM credentials in the FortiGate CLI:

  1. In the FortiGate CLI, enter the following command:

    execute central-mgmt register-device <FMG Serial Number> <FGT admin password>.

  2. Repeat this process for each FortiGate that needs to be updated.

Step 2: Re-establish the FGFM tunnel
To re-establish the FGFM tunnel after the FGFM credentials are updated:

  1. Enter the following command in the FortiManager CLI to re-establish the FGFM tunnel:

    execute fgfm reclaim-dev-tunnel

Previous
Next