Fortimanager v7.0.8 Upgrade Guide
Fortimanager v7.0.8 Upgrade Guide
Fortimanager v7.0.8 Upgrade Guide
FortiManager 7.0.8
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
FEEDBACK
Email: [email protected]
June 8, 2023
FortiManager 7.0.8 Upgrade Guide
02-708-918355-20230608
TABLE OF CONTENTS
Change Log 4
Introduction 5
Preparing to Upgrade FortiManager 6
Disabling FortiAnalyzer Features 6
Upgrading unsupported ADOMs 7
Downloading files from Customer Service & Support 8
Downloading release notes and firmware images 8
Downloading MIB files for SNMP 9
FortiManager firmware images 10
FortiManager VM firmware images 10
Build numbers 10
Reviewing FortiManager 7.0.8 Release Notes 10
Planning when to upgrade 11
Installing pending configurations 11
Reviewing status of managed devices 11
CLI example of diagnose dvm adom list 12
CLI example of diagnose dvm device list 12
CLI example of diagnose dvm group list 12
Checking FortiManager databases 13
Reviewing FortiManager system resources and license information 16
Backing up configuration files and databases 17
Creating a snapshot of VM instances 18
Upgrading FortiManager 19
Upgrading FortiManager Firmware 19
Upgrading the firmware for an operating cluster 22
Checking FortiManager log output 23
Checking FortiManager events 24
Downgrading to previous firmware versions 24
Verifying FortiManager Upgrade Success 25
Checking Alert Message Console and notifications 25
Checking managed devices 25
Previewing changes for a policy package installation 26
Supported Models 27
FortiManager Firmware Upgrade Paths 28
This document describes how to upgrade FortiManager to 7.0.8. This guide is intended to supplement the FortiManager
Release Notes, and it includes the following sections:
l Preparing to Upgrade FortiManager on page 6
l Upgrading FortiManager on page 19
l Verifying FortiManager Upgrade Success on page 25
l Supported Models on page 27
l FortiManager Firmware Upgrade Paths on page 28
l Only upgrade to a new major release or version when you are looking for specific
functionality in the new major release or version. For more information, see the
FortiManager Release Notes on the Fortinet Document Library
(https://docs.fortinet.com/), or contact Fortinet Customer Service & Support
(https://support.fortinet.com/).
l Upgrade FortiManager before upgrading FortiOS, and be sure to maintain release
We recommend performing the following tasks to prepare for a successful upgrade of a FortiManager unit. Following is a
summary of the preparation tasks and a link to the details for each task.
1. If FortiAnalyzer Features are enabled on FortiManager in an HA cluster, you must disable FortiAnalyzer Features
before upgrading FortiManager to version 7.0.8. See Disabling FortiAnalyzer Features on page 6.
All log data is deleted during the upgrade. It is recommended to back up log data before starting the upgrade.
2. If FortiManager has ADOM versions that are unsupported in the target FortiManager version, upgrade all
unsupported ADOM versions to 6.2 or higher.
You cannot upgrade unsupported ADOM versions after upgrading to the target FortiManager version.
FortiManager 7.0.0 and higher supports ADOM versions 6.2, 6.4, or 7.0. See Upgrading unsupported ADOMs on
page 7.
3. Download release notes, firmware images, and SNMP MIB files. See Downloading files from Customer Service &
Support on page 8.
4. Review release notes. See Reviewing FortiManager 7.0.8 Release Notes on page 10.
5. Plan when to perform the upgrade. See Planning when to upgrade on page 11.
6. Install pending configuration files. See Installing pending configurations on page 11.
7. Review the status of managed devices. See Reviewing status of managed devices on page 11.
8. Check the status of FortiManager databases. See Checking FortiManager databases on page 13.
9. Review FortiManager system resources and license information. See Reviewing FortiManager system resources
and license information on page 16.
10. Back up configuration files and databases. See Backing up configuration files and databases on page 17.
11. Clone VM instances. See Creating a snapshot of VM instances on page 18.
If FortiManager HA is disabled, you can skip this step by leaving FortiAnalyzer Features enabled.
With FortiManager 7.0.0, you cannot enable FortiAnalyzer Features on FortiManager nodes that are part of an HA
cluster. If FortiAnalyzer Features are enabled on FortiManager nodes in an HA cluster before you upgrade to
FortiManager 7.0.0, FortiAnalyzer Features are automatically disabled on each FortiManager in the HA cluster during
upgrade.
After upgrade to FortiManager 7.0.0 completes, you cannot enable FortiAnalyzer Features on any FortiManager nodes
that are part of an HA cluster, and the FortiAnalyzer Features option is hidden in the GUI.
This topic describes how to disable FortiAnalyzer Features before starting the upgrade.
6.2 Supported. ADOM can contain FortiGates No action required before upgrading
running FortiOS 6.2 and 6.4. FortiManager to 7.0.8.
The global database ADOM supports its own version plus one version. For example, if the
global database ADOM version is 6.4, the global database ADOM can manage version 6.4
and 7.0, but not 6.2.
If necessary, you should upgrade the global database ADOM after all the ADOMs that are
using a global policy package have been upgraded.
See also FortiManager Administration Guide > Global database version.
Although each ADOM version supports FortiGates running multiple versions of FortiOS, it is recommended to use the
same ADOM and FortiOS versions for optimal syntax support. For example, it is recommended to use ADOM version 6.4
for FortiGates running FortiOS 6.4.
The following procedure describes how to upgrade ADOM 6.0 to 6.2 by first upgrading all FortiGates to FortiOS 6.2 or
later. Although this procedure is recommended, it is not required. You can upgrade ADOM 6.0 to 6.2 without first
upgrading the FortiGates.
See also FortiManager Administration Guide > Using mixed versions in ADOMs.
1. In the older version ADOM, upgrade one of the FortiGate units to FortiOS 6.2 or later, and then resynchronize the
device.
All the ADOM objects, including Policy Packages, remain as objects for the earlier version.
2. Upgrade the remaining FortiGate units in the older version ADOMs to FortiOS 6.2 or later.
3. Upgrade the ADOM to version 6.2 or later.
a. Ensure that you are logged into FortiManager as a super user administrator.
b. Go to System Settings > All ADOMs.
c. Select an ADOM, and then select More > Upgrade from the toolbar.
d. Click OK in the confirmation dialog box to upgrade the ADOM.
All the database objects are converted to the new version’s format and the GUI content for the ADOM changes to
reflect the new version’s features and behavior.
4. If the Global database ADOM is an unsupported version, upgrade to a supported ADOM version.
You can download release notes and firmware images from the Fortinet Customer Service & Support portal at
https://support.fortinet.com. If you are using SNMP to monitor equipment, you can also download MIB files from the
Fortinet Customer Service & Support portal.
This section contains the following topics:
l Downloading release notes and firmware images on page 8
l Downloading MIB files for SNMP on page 9
l FortiManager firmware images on page 10
l FortiManager VM firmware images on page 10
l Build numbers on page 10
Release notes are available for download from the Fortinet Customer Service & Support portal
(https://support.fortinet.com/).
Firmware images can be downloaded from the following locations:
l FortiGuard: From FortiManager GUI, you can view the recommended firmware upgrade path, download the
firmware from FortiGuard, and upgrade the firmware.
l Fortinet Customer Service & Support portal: Firmware images are organized by firmware version, major release,
and patch release. You can download the firmware image, and then upload the firmware image to FortiManager
GUI.
This section describes how to download firmware images from the Fortinet Customer Service & Support portal. For
information about downloading firmware images from FortiGuard, see Upgrading FortiManager Firmware on page 19.
For information about the naming convention of firmware images and VM firmware images, see FortiManager firmware
images on page 10, FortiManager VM firmware images on page 10, and Build numbers on page 10.
If you are not using SNMP to monitor equipment, you can skip this procedure.
If you are using SNMP to monitor equipment, download the following MIB file from the Fortinet Customer Service &
Support portal:
l FORTINET-FORTIMANAGER-FORTIANALYZER-MIB.mib, which is used with both FortiManager and
FortiAnalyzer
The firmware images in the folders follow a specific naming convention, and each firmware image is specific to the
device model or VM.
For example, the FMG_2000E-v7.0.3-build0254-FORTINET.out image found in the
/FortiManager/v7.00/7.0/7.0.0/ folder is specific to the FortiManager 2000E device model.
Build numbers
Firmware images are generally documented as build numbers. New models may be released from a branch of the
regular firmware release. As such, the build number found in the System Settings > Dashboard > System Information
widget and the output from the get system status CLI command displays this four-digit build number as the build
number.
To confirm that you are running the proper build, the output from the get system status CLI command has a
Branch Point field that displays the regular build number.
Ensure that FortiManager 7.0.8 can run on your FortiManager model. See Supported Models on page 27.
After you download the release notes for FortiManager 7.0.8, review the special notices, upgrade information, product
integration and support, resolved issues, and known issues.
Plan a maintenance window to complete the firmware upgrade. If possible, you may want to set up a test environment to
ensure that the upgrade does not negatively impact your network or managed devices.
Prepare your device for upgrade by installing any pending configurations, and ensure that your managed devices are
running the appropriate firmware versions as documented in the firmware Release Notes.
Before starting an upgrade, use the Device Manager pane to review the status of all managed devices to ensure they
have a status of In Sync.
Either correct devices without an In Sync status or make note of them prior to starting the upgrade.
Following is an example of the Device Manager pane:
Also, you can use the following CLI commands to gather detailed properties of managed devices, device groups, or
ADOMs. The example output that follows highlights the important properties and attributes.
l diagnose dvm adom list
l diagnose dvm device list
l diagnose dvm group list
Following is an example of the CLI output for the diagnose dvm adom list command:
# diagnose dvm adom list
There are currently 26 ADOMs:
OID STATE PRODUCT OSVER MR NAME MODE VPN MANAGEMENT IPS
...
...
239 enabled FOS 5.0 4 54-ADOM Normal Policy & Device VPNs 10.00032 (regular)
141 enabled FOS 5.0 4 54-VPN Normal Central VPN Console 6.00741 (regular)
...
...
---End ADOM list---
The following properties should be the same before and after the upgrade:
l Total number of ADOMs.
l Name of each ADOM.
l VPN management mode. There are two VPN management modes: Policy & Device VPNs or Central VPN
Console.
Following is an example of the CLI output for the diagnose dvm device list command:
# diagnose dvm device list
--- There are currently 16 devices/vdoms managed ---
TYPE OID SN HA IP NAME ADOM IPS
...
...
fmg/faz enabled 448 FGVM020000058807 - 10.3.121.82 FGVM82 54-VPN 6.00741 (regular)
|- STATUS: db: modified; conf: in sync; cond: OK; dm: retrieved; conn: up
|- vdom:[3]root flags:0 adom:54-VPN pkg:[modified]pp_vpn_v1
fmg/faz enabled 317 FGVM02Q105060033 - 10.3.121.92 FGVM92 54-ADOM 6.00741 (regular)
|- STATUS: db: not modified; conf: out of sync; cond: unknown; dm: autoupdated; conn: down
|- vdom:[3]root flags:1 adom:54-ADOM pkg:[unknown]VM92_root
...
...
--- End device list ---
This command shows the total number of devices or VDOMs, the configuration status of devices and policy packages,
and the connection status. The number of managed devices or VDOMs should be the same before and after the
upgrade.
l If the device configuration or policy package status (db) is modified, we recommend installing the changes before
upgrading.
l The policy package status (pkg) shows if there is any pending package change on a policy package that has been
linked to a device or VDOM. This status can be modified, never-installed, or unknown.
l The connection status (conn) is either up or down.
Following is an example of the CLI output for the diagnose dvm group list command:
The number of groups and their members should be the same before and after the upgrade.
Before upgrading, it is recommended that you check the integrity of FortiManager databases using the following CLI
commands. If you find any errors, you can fix the errors before the upgrade.
l If you need to fix database errors, back up before making any changes. See Backing up configuration files and
databases on page 17.
l Before running integrity check commands, ensure only one admin is logged in and no objects are locked.
l If workspace mode is enabled, you must unlock all ADOMs before running any integrity commands. For information
on workspace mode, see the FortiManager Administration Guide.
Check the integrity of the Policy Manager database by using the following command:
diagnose pm2 check-integrity all.
The diagnose pm2 check-integrity all command only detects errors. It cannot
correct errors. If any errors are found, the only option is to restore from the last good backup
before upgrading.
Check the integrity of the Device Manager database by using the following command:
diagnose dvm check-integrity.
Check the integrity of ADOM configurations in the database by using the following command:
diagnose cdb check adom-integrity.
This command does not work on version 5.4.3 or versions earlier than 5.2.11.
Check the integrity of the policy packages by using the following command:
diagnose cdb check policy-packages.
Check the integrity of object configuration database, reference table, ADOM database, DVM database, and invalid policy
package and template installation targets by using the following command:
diag cdb upgrade check +all
Example
Checking: Resync and add any missing vdoms from device database to DVM database
No error found.
Make sure your VM partition has more than 1024MB and your VM server is up to date.
To view the flash disk size of your VM, enter the following command in the FortiManager CLI and review the value for the
first hard disk (SDA):
diagnose system print partitions
For example:
diagnose system print partitions
major minor #blocks name fstype
1 0 4096 ram0
1 1 4096 ram1
1 2 4096 ram2
1 3 4096 ram3
7 0 10240 loop0 ext2
8 0 2097152 sda
8 1 1048576 sda1 ext3
8 16 83886080 sdb
8 32 1073741824 sdc
253 0 1157619712 dm-0
You can increase the size by shutting down the VM, editing the VM hardware to increase the size of the first hard disk,
and then restarting the VM.
For more information about FortiManager VM, see documentation for FortiManager Private Cloud and FortiManager
Public Cloud.
When the database is larger than 2.8 GB, back up the configuration file to an FTP, SFTP, or
SCP server using the following CLI command:
execute backup all-settings {ftp | sftp} <ip> <path/filename of
server> <username on server> <password> <crptpasswd>
execute backup all-settings scp <ip> <path/filename of server> <SSH
certificate> <crptpasswd>
For more information, see the FortiManager CLI Reference.
If you encrypt the backup file, you must use the same password to restore this backup file.
1. Back up your system configuration and save the backup file on your local computer.
2. Go to System Settings > Event Log.
3. Locate the system event that was logged as a result of the backup operation from the Event Log table. You may use
the Add Filter button from the toolbar above to simplify locating the logged event entry.
4. Verify the MD5 checksum from the Message column of the logged event entry, and compare it to the MD5
In VM environments, it is recommended to stop the VM instance and take a snapshot or clone of the VM instance before
the upgrade. If there are issues with the upgrade, you can revert to the VM snapshot or clone.
Avoid taking snapshots when applications in the virtual machine are communicating with other
computers.
When upgrading firmware, all ADOMs (and Policy Package versions, if ADOMs are disabled)
remain at the same version after the upgrade. For information about upgrading ADOMs, see
the FortiManager Administration Guide.
Upgrading the device firmware can trigger an SQL database rebuild. During the database
rebuild, new logs are inserted into the database and can be viewed, but existing logs are not
available until the rebuild is complete. The time required to rebuild the database depends on
the size of the database. You can use the diagnose sql status rebuild-db command
to display the SQL log database rebuild status.
This section describes how to upgrade FortiManager firmware. You can use the following methods to upgrade firmware:
l From the FortiManager GUI, download the firmware from FortiGuard and upgrade the unit.
l From the FortiManager GUI, upload the firmware that you previously downloaded from the Customer Service
& Support portal.
Fortinet recommends uploading firmware to FortiManager by using a server that is in the same
location as the FortiManager. This helps avoid timeouts.
After updating FortiManager firmware, you should update the following items in the following order:
1. Update firmware for managed FortiGates.
FortiManager automatically retrieves the FortiGate configuration after upgrading FortiOS.
2. Upgrade the ADOM version as necessary.
3. Upgrade the global ADOM version as necessary.
For information about updating firmware for FortiGates and ADOM versions, see the FortiManager Administration
Guide.
1. In System Settings > Advanced > Advanced Settings, enable Offline Mode.
Offline mode stops automatic firmware updates during the upgrade.
2. Go to System Settings > Dashboard.
3. In the System Information widget, go to the Firmware Version field, and click the Upgrade Firmware icon.
4. Before upgrading your firmware, you can choose to enable or disable Backup Configuration. When this setting is
enabled, you will automatically download a backup copy of your FortiManager configuration when performing a
firmware upgrade. If you want to encrypt the backup file, enable Encryption, then type and confirm the password
you want to use. The password can be a maximum of 63 characters.
5. In the FortiGuard Firmware list, select the version of FortiManager for upgrade, and click OK.
The FortiGuard Firmware box displays all FortiManager firmware images available for upgrade. A green checkmark
displays beside the recommended image for FortiManager upgrade.
If you select an image without a green checkmark, a confirmation dialog box is displayed. Click OK to continue.
FortiManager downloads the firmware image from FortiGuard.
FortiManager uses the downloaded image to update its firmware, and then restarts.
It is recommended to view the console log output during upgrade. See Checking FortiManager log output on page
23.
6. When the login window displays, log into FortiManager.
When the upgrade completes, you might have to refresh your web browser to see the login
window.
To upgrade firmware using an image downloaded from the Customer Service & Support portal:
1. In System Settings > Advanced > Advanced Settings, enable Offline Mode.
Offline mode stops automatic firmware updates during the upgrade.
When the upgrade completes, you might have to refresh your web browser to see the login
window.
Optionally, you can upgrade firmware stored on an FTP or TFTP server using the following
CLI command:
execute restore image {ftp | tftp} <file path to server> <IP of
server> <username on server> <password>
For more information, see the FortiManager CLI Reference.
You can upgrade the firmware of an operating cluster using the GUI or CLI of the primary unit.
Starting with FortiManager 7.0.0, FortiAnalyzer Features must be disabled when FortiManager
HA is enabled. If you have FortiAnalyzer Features enabled on FortiManager, FortiAnalyzer
Features will be automatically disabled during upgrade to FortiManager to 7.0.0 or later.
Similar to upgrading the firmware of a standalone unit, normal operations are temporarily interrupted during the cluster
firmware upgrade. Therefore, you should upgrade the firmware during a maintenance window.
To upgrade an HA cluster:
1. Log into the GUI of the primary unit using the admin administrator account.
2. Upgrade the primary unit firmware. The upgrade is automatically synchronized between the primary device and
backup devices.
It is recommended to view the console log output during upgrade. See Checking FortiManager log output on page
23.
Administrators may not be able to connect to the GUI until the upgrade synchronization
process is completed. During the upgrade, SSH or telnet connections to the CLI may also be
slow. You can still use the console to connect to the CLI of the primary device.
While upgrading a FortiManager unit, use the console to check the log output in real-time. Check for any errors or
warnings.
Following is a sample console output with warnings or errors you might encounter during an upgrade:
Please stand by while rebooting the system.
Restarting system.
Serial number:FMG-VM0A11000137
Upgrading sample reports...Done.
Upgrading geography IP data...Done.
rebuilding log database (log storage upgrade)...
Prepare log data for SQL database rebuild...Done.
Global DB running version is 222, built-in DB schema version is 432
......
upgrading device ssl-vpn flags...done
upgrading scripts ...
Invalid schedule. The device 10160520 does not belong to script 136's adom
Invalid schedule. The device 33933609 does not belong to script 46's adom
Invalid schedule. The device 10515974 does not belong to script 46's adom
......
Invalid schedule. The device 1709397 does not belong to script 46's adom
Invalid schedule. The device 1709397 does not belong to script 46's adom
Invalid schedule. The device 1407292 does not belong to script 46's adom
upgrading scripts ... done
upgrading script log ...
Failed to upgrade some script logs. Please use "diagnose debug backup-oldformat-script-logs"
to upload the failed logs into a ftp server
upgrading script log ... done
Upgrading adom vpn certificate ca ...
......
Finish check-upgrade-objects [32923/49325]
Upgrade all DB version ...
Global DB running version is upgraded to 432
Database upgrade finished, using 846m11s
After upgrading, it is recommended to check all messages logged to the FortiManager Event Log. If you find any errors,
you can fix the errors before continuing.
Following is an example of messages in the FortiManager Event Log:
FortiManager does not provide a full downgrade path. You can downgrade to a previous firmware release using the GUI
or CLI, but this causes configuration loss. A system reset is required after the firmware downgrade. To reset the system,
use the following CLI commands via a console port connection:
execute reset {all-settings | all-except-ip}
execute format {disk | disk-ext4 | disk-ext3}
Once the upgrade is complete, check the FortiManager unit to ensure that the upgrade was successful. This section
describes items you should check.
This section contains the following topics:
l Checking Alert Message Console and notifications on page 25
l Checking managed devices on page 25
l Previewing changes for a policy package installation on page 26
After the FortiManager upgrade completes, check the Alert Message Console and list of notifications for any messages
that might indicate problems with the upgrade.
l In System Settings > Dashboard, check the Alert Message Console widget.
l Click the Notification icon and review any notifications.
For information on accessing system settings, see Reviewing FortiManager system resources and license information
on page 16.
After the FortiManager upgrade completes, check the managed devices in the GUI.
1. Refresh the browser and log back into the device GUI.
2. Go to Device Manager, and ensure that all formerly added devices are still listed.
3. In Device Manager, select each ADOM and ensure that managed devices reflect the appropriate connectivity state.
It might take some time for FortiManager to establish connectivity after the upgrade.
Following is an example of the quick status bar in Device Manager where you can check the connectivity status of
managed devices.
4. Launch other functional modules and make sure they work properly.
See Previewing changes for a policy package installation on page 26.
The first time that you install a policy package after the upgrade, use the Install Preview feature to ensure that only the
desired changes will be installed to the device.
The policy package must include a change to use the Install Preview feature.
Supported Models
FortiManager FortiManager VM
FMG-200F FMG_DOCKER
FMG-200G FMG-VM64
FMG-300F FMG_VM64_ALI
FMG-400E FMG-VM64-AWS
FMG-400G FMG-VM64-Azure
FMG-1000F FMG-VM64-GCP
FMG-2000E FMG-VM64-HV (including Hyper-V 2016, 2019)
FMG-3000F FMG-VM64-IBM
FMG-3000G FMG-VM64-KVM
FMG-3700F FMG-VM64-OPC
FMG-3700G FMG-VM64-XEN (for both Citrix and Open Source Xen)
FMG-3900E
For information about FortiManager support for FortiOS, see the FortiManager Compatibility chart in the Document
Library at https://docs.fortinet.com/product/fortimanager/7.0.
Before upgrading your device, see details in the applicable releases notes.
If you are upgrading from FortiManager 7.0.0, upgrade to FortiManager 7.0.1, and then
upgrade to the latest 7.0 version. See also FortiManager 7.0.8 Release Notes > Special
Notices.
See Supported Models on page 27 for the list of models that are supported in FortiManager
7.0.8.
Supported models for previous versions can be found in the FortiManager Release Notes for
that version.
Note: FortiManager 7.0.8 does not support ADOM versions 6.0 and earlier. FortiManager 7.0.8 supports only ADOM
versions 6.2, 6.4, and 7.0.
6.2.0-6.2.3, 6.2.5-6.2.11
Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.