Move server to another Manager (FNC-MX/FNC-CAX)

Use these steps to transfer an existing managed FortiNAC server from one FortiNAC Manager to another.

Requirements

• FortiNAC version: 9.2.7, 9.4.2, F7.2.1 or greater on all appliances

• License contracts have been installed on the new Manager

Considerations

• Perform snapshots on any virtual appliances before proceeding

• During this process, there will be a period of time where entitlements will not be available

• Due to the above, it is recommended this process be done during a maintenance window if the FortiNAC server is controlling network access (under enforcement)

Step 1: Review Global Objects

In the Manager, take a screen capture or note the global objects and confirm they are present on the managed server. This list will be used to verify the objects once the server is removed from the Manager.

Admin Profiles:

Users & Hosts > Administrators > Profiles

Guest Templates:

Users & Hosts > Guests & Contractors > Templates

Device Profiling Rules:

Users & Hosts > Device Profiling Rules

Device Types:

System > Settings Identification > Device Types

Groups:

System > Groups

Roles:

Policy & Objects > Roles

User/Host Profiles:

Policy & Objects > User/Host Profiles

Endpoint Compliance Policies:

Policy & Objects > Endpoint Compliance > Policies

Endpoint Compliance Configurations:

Policy & Objects > Endpoint Compliance > Configurations

Endpoint Compliance Scans:

Policy & Objects > Endpoint Compliance > Scans

Security Actions used by Endpoint Compliance configurations:

Policy & Objects > Endpoint Compliance > Actions

Step 2: Remove Server from Server List

1. Log in to the Manager UI in one web browser window and the server UI in another.

2. In the Manager’s Dashboard, select the server in the Servers widget.

3. Select Delete.

4. Log out of the Manager.

5. In the server UI, the License Information panel should reflect a Concurrent License count of 0. If not, wait about 1 minute to allow the entitlements to update.

Step 3: Validate

In the server, confirm any previously shared (global) objects are still listed and are modifiable.

Step 4: Update Existing Manager’s Allowed Serial Numbers (optional)

Delete the server’s Serial Number(s) from the existing Manager's allowed serial number list. If the Manager is being decommissioned, this step can be skipped.

1. Log in to the existing Manager's CLI as admin and type:

   execute enter-shell

   globaloptiontool -name security.allowedserialnumbers

   Example of results:

   security.allowedserialnumbers: FNVX-CAxxxxx6,FNVX-CAxxxxx7,FNVX-CAxxxxx8

2. Copy the resulting serial number list (example: FNVX-CAxxxxx6,FNVX-CAxxxxx7,FNVX-CAxxxxx8) to a text editor.

3. Delete the CA's Serial Number from the list. Example where CA's Serial Number is FNVX-CAxxxxx6:

   FNVX-CAxxxxx7,FNVX-CAxxxxx8

4. Enter the following command and include the edited content

   globaloptiontool -name security.allowedserialnumbers -setRaw "<updated_SN_list>"

   Example:

   globaloptiontool -name security.allowedserialnumbers -setRaw "FNVX-CAxxxxx7,FNVX-CAxxxxx8"

5. Log out of the CLI. Type:

   exit

   exit

Step 5: Update FortiNAC Server’s Allowed Serial Numbers

Update the server’s allowed serial number list with the new Manager serial number.

1. Log in to the server CLI as admin and type:

   execute enter-shell

   globaloptiontool -name security.allowedserialnumbers

2. Copy the resulting serial number list to a text editor. Replace the serial numbers of the existing Manager(s) with the new Manager(s).

3. Enter the following command and include the edited content

   globaloptiontool -name security.allowedserialnumbers -setRaw "<updated_SN_list>"

   Example:

   globaloptiontool -name security.allowedserialnumbers -setRaw "FNVX-Mxxxxxxx1,FNVX-Mxxxxxxx2"

4. Log out of the CLI. Type:

   exit

   exit

Step 6: Update New Manager’s Allowed Serial Numbers

Add the server’s Serial Number(s) to the new Manager's allowed serial number list.

1. Log in to the new Manager's CLI as admin and type:

   execute enter-shell

   globaloptiontool -name security.allowedserialnumbers

   Example of results:

   security.allowedserialnumbers: FNVX-CAxxxxx4,FNVX-CAxxxxx5

2. Copy the resulting serial number list (example: FNVX-CAxxxxx4,FNVX-CAxxxxx5) to a text editor.

3. Add the server's Serial Number(s) at the end of the list. Example where CA's Serial Number is FNVX-CAxxxxx6:

   FNVX-Mxxxxxxx1,FNVX-Mxxxxxxx2,FNVX-CAxxxxx4,FNVX-CAxxxxx5,FNVX-CAxxxxx6

4. Enter the following command and include the edited content

   globaloptiontool -name security.allowedserialnumbers -setRaw "<updated_SN_list>"

   Example:

   globaloptiontool -name security.allowedserialnumbers -setRaw "FNVX-Mxxxxxxx1,FNVX-Mxxxxxxx2,FNVX-CAxxxxx4,FNVX-CAxxxxx5,FNVX-CAxxxxx6"

5. Log out of the CLI. Type:

   exit

   exit

Step 7: Add Server to New Manager’s Server List

Add the server to the new Manager's UI.

1. Navigate to the Dashboard.

2. Select Create New in the Servers widget and add the FortiNAC server IP address.

Manager will automatically copy the license entitlements to the FortiNAC server.

Step 8: Shut Down the Old Manager (optional)

If being decommissioned, the old Manager can now be shut down.

1. In the Manager UI, navigate to System > Settings > System Management > Power Management.

2. Select a server from the list.

Click Power Off. This process may take 30 seconds.