Fortinet black logo

Release Notes

Home FortiNAC 9.4.3 Release Notes
9.4.3
9.4.6
9.4.5
9.4.4
9.4.3
9.4.2
9.4.1
9.4.0
9.2.8
9.2.7
9.2.6
9.2.5
9.2.4
9.2.3
9.2.2
9.2.1
9.2.0
9.1.10
9.1.9
9.1.8
9.1.7
9.1.6
9.1.5
9.1.4
9.1.3
9.1.2
9.1.0
8.8.11
8.8.10
8.8.9
8.8.8
8.8.7
8.8.6
8.8.5
8.8.4
8.8.3
8.8.2
8.8.1
8.8.0
8.7.6
8.7.5
8.7.4
8.7.2
8.7.1
8.7.0
8.6.5
8.6.4
8.6.3
8.6.2
8.6.1
8.6.0
8.5.4
8.5.3
8.5.2
8.5.1
8.3.7
8.3.6

Pre-upgrade Procedures

Pre-upgrade Procedures

Enhancements were made to the communication method between FortiNAC servers for security. Due to this change, all FortiNAC servers must have additional configuration in order to communicate. The following procedure should be done prior to upgrade to prevent communication interruption.

This configuration applies to FortiNAC version 9.4.3 and greater.

Configure all servers to allow communication between each other. This is done using an attribute that lists all the allowed serial numbers with which appliances can communicate.

Steps

  1. Confirm key files containing certificates are installed in all FortiNAC servers.

    Administration UI Method:

    The System Summary Dashboard widget should show 'Certificates = Yes'.

    CLI Method:

    Virtual appliance: Log in to the CLI as root and type:

    licensetool

    Physical appliance: Log in to the CLI as root and type:

    licensetool -key FILE -file /bsc/campusMgr/.licenseKeyHW

    Response from the above commands should show:

    "certificates =[xxxxxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxxxxx]".

    If 'certificates = []' or there is not a 'certificates' entry listed at all, keys with certificates must be installed. See Importing License Key Certificates in the FortiNAC Manager Guide.

  2. Compile the allowed serial number list. In a text file (Notepad, etc), document the serial numbers of each appliance. Serial numbers can be obtained in the following ways:

    • Customer Portal (https://support.fortinet.com)

    • System Summery Dashboard widget in the Administration UI of each appliance

    • CLI of each appliance using licensetool command

    Example:

    FortiNAC Manager A (primary) & B (secondary)

    FortiNAC-CA servers A (primary) & B (secondary)

    FortiNAC-CA server C

    Record serial numbers for:

    FortiNAC Manager A: FNVM-Mxxxxx1

    FortiNAC Manager B: FNVM-Mxxxxx2

    FortiNAC-CA server A: FNVM-CAxxxxx4

    FortiNAC-CA server B: FNVM-CAxxxxx5

    FortiNAC-CA server C: FNVM-CAxxxxx6

  3. In the same text file, write the following command, listing all the serial numbers recorded in step 2:

    Command:

    globaloptiontool -name security.allowedserialnumbers -setRaw "<serialnumber1>,<serialnumber2>,<serialnumber3>"

    Example

    globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6"

  4. Perform the following steps on all servers.

    a. Log in to the CLI as root.

    b. Paste the globaloptiontool command from the text file.

    Note:

    • The message "Warning: There is no known option with name: security.allowedserialnumbers" may appear. This is normal.

    • In High Availability configurations, only the Primary Server need to have the command entered. Database replication will copy the configuration to the Secondary Server. Using the above example, CLI configuration would be applied to Manager A.

      Example

      > globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6"
      Warning: There is no known option with name: security.allowedserialnumbers
      New option added

    c. Confirm entry by typing:

    globaloptiontool -name security.allowedserialnumbers

    Example

    > globaloptiontool -name security.allowedserialnumbers
    Warning: There is no known option with name: security.allowedserialnumbers
    122 security.allowedserialnumbers: FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6

  5. Log out of the CLI. Type:
    logout


You have completed the pre-upgrade procedure.

Previous
Next

Pre-upgrade Procedures

Enhancements were made to the communication method between FortiNAC servers for security. Due to this change, all FortiNAC servers must have additional configuration in order to communicate. The following procedure should be done prior to upgrade to prevent communication interruption.

This configuration applies to FortiNAC version 9.4.3 and greater.

Configure all servers to allow communication between each other. This is done using an attribute that lists all the allowed serial numbers with which appliances can communicate.

Steps

  1. Confirm key files containing certificates are installed in all FortiNAC servers.

    Administration UI Method:

    The System Summary Dashboard widget should show 'Certificates = Yes'.

    CLI Method:

    Virtual appliance: Log in to the CLI as root and type:

    licensetool

    Physical appliance: Log in to the CLI as root and type:

    licensetool -key FILE -file /bsc/campusMgr/.licenseKeyHW

    Response from the above commands should show:

    "certificates =[xxxxxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxxxxx]".

    If 'certificates = []' or there is not a 'certificates' entry listed at all, keys with certificates must be installed. See Importing License Key Certificates in the FortiNAC Manager Guide.

  2. Compile the allowed serial number list. In a text file (Notepad, etc), document the serial numbers of each appliance. Serial numbers can be obtained in the following ways:

    • Customer Portal (https://support.fortinet.com)

    • System Summery Dashboard widget in the Administration UI of each appliance

    • CLI of each appliance using licensetool command

    Example:

    FortiNAC Manager A (primary) & B (secondary)

    FortiNAC-CA servers A (primary) & B (secondary)

    FortiNAC-CA server C

    Record serial numbers for:

    FortiNAC Manager A: FNVM-Mxxxxx1

    FortiNAC Manager B: FNVM-Mxxxxx2

    FortiNAC-CA server A: FNVM-CAxxxxx4

    FortiNAC-CA server B: FNVM-CAxxxxx5

    FortiNAC-CA server C: FNVM-CAxxxxx6

  3. In the same text file, write the following command, listing all the serial numbers recorded in step 2:

    Command:

    globaloptiontool -name security.allowedserialnumbers -setRaw "<serialnumber1>,<serialnumber2>,<serialnumber3>"

    Example

    globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6"

  4. Perform the following steps on all servers.

    a. Log in to the CLI as root.

    b. Paste the globaloptiontool command from the text file.

    Note:

    • The message "Warning: There is no known option with name: security.allowedserialnumbers" may appear. This is normal.

    • In High Availability configurations, only the Primary Server need to have the command entered. Database replication will copy the configuration to the Secondary Server. Using the above example, CLI configuration would be applied to Manager A.

      Example

      > globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6"
      Warning: There is no known option with name: security.allowedserialnumbers
      New option added

    c. Confirm entry by typing:

    globaloptiontool -name security.allowedserialnumbers

    Example

    > globaloptiontool -name security.allowedserialnumbers
    Warning: There is no known option with name: security.allowedserialnumbers
    122 security.allowedserialnumbers: FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6

  5. Log out of the CLI. Type:
    logout


You have completed the pre-upgrade procedure.

Previous
Next