Pre-upgrade Procedures
Enhancements were made to the communication method between FortiNAC servers for security. Due to this change, all FortiNAC servers must have additional configuration in order to communicate. The following procedure should be done prior to upgrade to prevent communication interruption.
-
This configuration applies to FortiNAC version 9.4.3 and greater.
Configure all servers to allow communication between each other. This is done using an attribute that lists all the allowed serial numbers with which appliances can communicate.
Steps
-
Confirm key files containing certificates are installed in all FortiNAC servers.
Administration UI Method:
The System Summary Dashboard widget should show 'Certificates = Yes'.
CLI Method:
Virtual appliance: Log in to the CLI as root and type:
licensetool
Physical appliance: Log in to the CLI as root and type:
licensetool -key FILE -file /bsc/campusMgr/.licenseKeyHW
Response from the above commands should show:
"certificates =[xxxxxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxxxxx]".
If '
certificates = []
' or there is not a 'certificates' entry listed at all, keys with certificates must be installed. See Importing License Key Certificates in the FortiNAC Manager Guide. -
Compile the allowed serial number list. In a text file (Notepad, etc), document the serial numbers of each appliance. Serial numbers can be obtained in the following ways:
-
Customer Portal (https://support.fortinet.com)
-
System Summery Dashboard widget in the Administration UI of each appliance
-
CLI of each appliance using licensetool command
Example:
FortiNAC Manager A (primary) & B (secondary)
FortiNAC-CA servers A (primary) & B (secondary)
FortiNAC-CA server C
Record serial numbers for:
FortiNAC Manager A: FNVM-Mxxxxx1
FortiNAC Manager B: FNVM-Mxxxxx2
FortiNAC-CA server A: FNVM-CAxxxxx4
FortiNAC-CA server B: FNVM-CAxxxxx5
FortiNAC-CA server C: FNVM-CAxxxxx6
-
-
In the same text file, write the following command, listing all the serial numbers recorded in step 2:
Command:
globaloptiontool -name security.allowedserialnumbers -setRaw "<serialnumber1>,<serialnumber2>,<serialnumber3>"
Example
globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6"
-
Perform the following steps on all servers.
a. Log in to the CLI as root.
b. Paste the
globaloptiontool
command from the text file.Note:
-
The message "Warning: There is no known option with name: security.allowedserialnumbers" may appear. This is normal.
-
In High Availability configurations, only the Primary Server need to have the command entered. Database replication will copy the configuration to the Secondary Server. Using the above example, CLI configuration would be applied to Manager A.
Example
> globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6"
Warning: There is no known option with name: security.allowedserialnumbers
New option added
c. Confirm entry by typing:
globaloptiontool -name security.allowedserialnumbers
Example
> globaloptiontool -name security.allowedserialnumbers
Warning: There is no known option with name: security.allowedserialnumbers
122 security.allowedserialnumbers: FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6
-
-
Log out of the CLI. Type:
logout
You have completed the pre-upgrade procedure.