Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiNAC Manager

    Home FortiNAC 9.4.0 FortiNAC Manager
    9.4.0
    9.4.0
    9.2.0
    9.1.0

    Move server to another Manager

    Move server to another Manager

    Use these steps to transfer an existing managed FortiNAC server from one FortiNAC Manager to another.

    Requirements

    • FortiNAC version: 9.2.7, 9.4.2, F7.2.1 or greater on all appliances

    • License contracts have been installed on the new Manager


    Considerations

    • Perform snapshots on any virtual appliances before proceeding

    • During this process, there will be a period of time where entitlements will not be available

    • Due to the above, it is recommended this process be done during a maintenance window if the FortiNAC server is controlling network access (under enforcement)

    Step 1: Review Global Objects

    In the Manager, take a screen capture or note the global objects and confirm they are present on the managed FortiNAC server. This list will be used to verify the objects once the server is removed from the Manager.

    Admin Profiles:

    Users & Hosts > Administrators > Profiles

    Guest Templates:

    Users & Hosts > Guests & Contractors > Templates

    Device Profiling Rules:

    Users & Hosts > Device Profiling Rules

    Device Types:

    System > Settings Identification > Device Types

    Groups:

    System > Groups

    Roles:

    Policy & Objects > Roles

    User/Host Profiles:

    Policy & Objects > User/Host Profiles

    Endpoint Compliance Policies:

    Policy & Objects > Endpoint Compliance > Policies

    Endpoint Compliance Configurations:

    Policy & Objects > Endpoint Compliance > Configurations

    Endpoint Compliance Scans:

    Policy & Objects > Endpoint Compliance > Scans

    Security Actions used by Endpoint Compliance configurations:

    Policy & Objects > Endpoint Compliance > Actions

    Step 2: Remove Server from Server List

    1. Log in to the Manager UI in one web browser window and the server UI in another.

    2. In the Manager’s Dashboard, select the server in the Servers widget.

    3. Select Delete.

    4. Log out of the Manager.

    5. In the server UI, the License Information panel should reflect a Concurrent License count of 0. If not, wait about 1 minute to allow the entitlements to update.

    Step 3: Validate

    In the server, confirm any previously shared (global) objects are still listed and are modifiable.

    Step 4: Update Existing Managers Allowed Serial Numbers (optional)

    Delete the server's Serial Number(s) from the existing Manager's allowed serial number list. If the Manager is being decommissioned, this step can be skipped.

    1. Log in to the existing Manager's CLI as root and type:

      globaloptiontool -name security.allowedserialnumbers

      Example of results:

      security.allowedserialnumbers: FNVM-CAxxxxx6,FNVM-CAxxxxx7,FNVM-CAxxxxx8

    2. Copy the resulting serial number list (example: FNVM-CAxxxxx6,FNVM-CAxxxxx7,FNVM-CAxxxxx8) to a text editor.

    3. Delete the CA's Serial Number from the list. Example where CA's Serial Number is FNVM-CAxxxxx6:

      FNVM-CAxxxxx7,FNVM-CAxxxxx8

    4. Enter the following command and include the edited content

      globaloptiontool -name security.allowedserialnumbers -setRaw "<updated_SN_list>"

      Example:

      globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-CAxxxxx7,FNVM-CAxxxxx8"

    5. Log out of the CLI. Type:

      logout

    Step 5: Update CAs Allowed Serial Numbers

    Update the server's allowed serial number list with the new Manager serial number.

    1. Log in to the server CLI as root and type:

      globaloptiontool -name security.allowedserialnumbers

    2. Copy the resulting serial number list to a text editor. Replace the serial numbers of the existing Manager(s) with the new Manager(s).

    3. Enter the following command and include the edited content

      globaloptiontool -name security.allowedserialnumbers -setRaw "<updated_SN_list>"

      Example:

      globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2"

    4. Log out of the CLI. Type:

      logout

    Step 6: Update New Managers Allowed Serial Numbers

    Add the server's Serial Number(s) to the new Manager's allowed serial number list.

    1. Log in to the new Manager's CLI as root and type:

      globaloptiontool -name security.allowedserialnumbers

      Example of results:

      security.allowedserialnumbers: FNVM-CAxxxxx4,FNVM-CAxxxxx5

    2. Copy the resulting serial number list (example: FNVM-CAxxxxx4,FNVM-CAxxxxx5) to a text editor.

    3. Add the CA's Serial Number(s) at the end of the list. Example where CA's Serial Number is FNVM-CAxxxxx6:

      FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6

    4. Enter the following command and include the edited content

      globaloptiontool -name security.allowedserialnumbers -setRaw "<updated_SN_list>"

      Example:

      globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6"

    5. Log out of the CLI. Type:

      logout

    Step 7: Add Server to New Managers Server List

    Add the server to the new Manager's UI.

    1. Navigate to the Dashboard.

    2. Select Create New in the Servers widget and add the FortiNAC server IP address.

      Manager will automatically copy the license entitlements to the CA.

    Step 8: Shut Down the Old Manager (optional)

    If being decommissioned, the old Manager can now be shut down.

    1. In the Manager UI, navigate to System > Settings > System Management > Power Management.

    2. Select a server from the list.

    Click Power Off. This process may take 30 seconds.

    Previous
    Next

    Move server to another Manager

    Move server to another Manager

    Use these steps to transfer an existing managed FortiNAC server from one FortiNAC Manager to another.

    Requirements

    • FortiNAC version: 9.2.7, 9.4.2, F7.2.1 or greater on all appliances

    • License contracts have been installed on the new Manager


    Considerations

    • Perform snapshots on any virtual appliances before proceeding

    • During this process, there will be a period of time where entitlements will not be available

    • Due to the above, it is recommended this process be done during a maintenance window if the FortiNAC server is controlling network access (under enforcement)

    Step 1: Review Global Objects

    In the Manager, take a screen capture or note the global objects and confirm they are present on the managed FortiNAC server. This list will be used to verify the objects once the server is removed from the Manager.

    Admin Profiles:

    Users & Hosts > Administrators > Profiles

    Guest Templates:

    Users & Hosts > Guests & Contractors > Templates

    Device Profiling Rules:

    Users & Hosts > Device Profiling Rules

    Device Types:

    System > Settings Identification > Device Types

    Groups:

    System > Groups

    Roles:

    Policy & Objects > Roles

    User/Host Profiles:

    Policy & Objects > User/Host Profiles

    Endpoint Compliance Policies:

    Policy & Objects > Endpoint Compliance > Policies

    Endpoint Compliance Configurations:

    Policy & Objects > Endpoint Compliance > Configurations

    Endpoint Compliance Scans:

    Policy & Objects > Endpoint Compliance > Scans

    Security Actions used by Endpoint Compliance configurations:

    Policy & Objects > Endpoint Compliance > Actions

    Step 2: Remove Server from Server List

    1. Log in to the Manager UI in one web browser window and the server UI in another.

    2. In the Manager’s Dashboard, select the server in the Servers widget.

    3. Select Delete.

    4. Log out of the Manager.

    5. In the server UI, the License Information panel should reflect a Concurrent License count of 0. If not, wait about 1 minute to allow the entitlements to update.

    Step 3: Validate

    In the server, confirm any previously shared (global) objects are still listed and are modifiable.

    Step 4: Update Existing Managers Allowed Serial Numbers (optional)

    Delete the server's Serial Number(s) from the existing Manager's allowed serial number list. If the Manager is being decommissioned, this step can be skipped.

    1. Log in to the existing Manager's CLI as root and type:

      globaloptiontool -name security.allowedserialnumbers

      Example of results:

      security.allowedserialnumbers: FNVM-CAxxxxx6,FNVM-CAxxxxx7,FNVM-CAxxxxx8

    2. Copy the resulting serial number list (example: FNVM-CAxxxxx6,FNVM-CAxxxxx7,FNVM-CAxxxxx8) to a text editor.

    3. Delete the CA's Serial Number from the list. Example where CA's Serial Number is FNVM-CAxxxxx6:

      FNVM-CAxxxxx7,FNVM-CAxxxxx8

    4. Enter the following command and include the edited content

      globaloptiontool -name security.allowedserialnumbers -setRaw "<updated_SN_list>"

      Example:

      globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-CAxxxxx7,FNVM-CAxxxxx8"

    5. Log out of the CLI. Type:

      logout

    Step 5: Update CAs Allowed Serial Numbers

    Update the server's allowed serial number list with the new Manager serial number.

    1. Log in to the server CLI as root and type:

      globaloptiontool -name security.allowedserialnumbers

    2. Copy the resulting serial number list to a text editor. Replace the serial numbers of the existing Manager(s) with the new Manager(s).

    3. Enter the following command and include the edited content

      globaloptiontool -name security.allowedserialnumbers -setRaw "<updated_SN_list>"

      Example:

      globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2"

    4. Log out of the CLI. Type:

      logout

    Step 6: Update New Managers Allowed Serial Numbers

    Add the server's Serial Number(s) to the new Manager's allowed serial number list.

    1. Log in to the new Manager's CLI as root and type:

      globaloptiontool -name security.allowedserialnumbers

      Example of results:

      security.allowedserialnumbers: FNVM-CAxxxxx4,FNVM-CAxxxxx5

    2. Copy the resulting serial number list (example: FNVM-CAxxxxx4,FNVM-CAxxxxx5) to a text editor.

    3. Add the CA's Serial Number(s) at the end of the list. Example where CA's Serial Number is FNVM-CAxxxxx6:

      FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6

    4. Enter the following command and include the edited content

      globaloptiontool -name security.allowedserialnumbers -setRaw "<updated_SN_list>"

      Example:

      globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6"

    5. Log out of the CLI. Type:

      logout

    Step 7: Add Server to New Managers Server List

    Add the server to the new Manager's UI.

    1. Navigate to the Dashboard.

    2. Select Create New in the Servers widget and add the FortiNAC server IP address.

      Manager will automatically copy the license entitlements to the CA.

    Step 8: Shut Down the Old Manager (optional)

    If being decommissioned, the old Manager can now be shut down.

    1. In the Manager UI, navigate to System > Settings > System Management > Power Management.

    2. Select a server from the list.

    Click Power Off. This process may take 30 seconds.

    Previous
    Next