After a long day of back-and-forth debugging, here are some takeaways from trying to deploy a FortiGate cluster with dedicated management interfaces:
FortiGates must without current support contract, needs to have the same version allready installed and FortiManager enforce Firmware needs to be set to this Version. Otherwhise this fails.
FortiManager 6.4.14 and configure dedicated Management, fails with out an proper error message. Yes currenty we are stuck with 6.4, we have still a few 60D wirth 6.0.X running. And for some unknown reason Fortinet supports only 2 minor versions backwards. Maybe Fortinet will change this at some point and also provide error messages that tell more than error code -1 and message null.
Please stop naming interfaces on every platform differently, portX or ethernet is just fine, there is no need to name port x1 / x2 , ha or so.
It would also be helpful to be able to copy vdoms in the fortimanager from on device to another, or to disable devices, copy them or have the option to start over with an device without deleting them by accident from the manager.
Thanks to Check Point they supports in an R81.20 SMS still some R74 Gateways. SIC reset is awesome.
Purging the DHCP Server on mgmt1 did not help.
Currently it is unclear how to set the IP Address for the Second node.
Under some circumstances the node will load the staging config from the USB stick again. During the reboot, after the Provisioning has been finished.
A cluster can take some time like 15 minutes to start the deployment process.
- Set the FortiManager Serial Number
- Debug Commands
- Software Update view SSH
- Fortimanager look up device over CLI
- Fortimanager reclaim tunnel
- Backup Config to an usb stick
- fnsysctl is not avail a long as usb stick is inserted
- Links
Set the FortiManager Serial Number
exe batch start
config system central-management
set type fortimanager
set fmg x.x.x.x
set serial "FMG-Serial-Number"
end
exe batch endDebug Commands
FortiManager Debug Commands
diag debug service sys 255
diag debug application depmanager 255
diag debug enable
diag fwmanager fwm-log
diag debug application fgfmsd 255
On FortiGate
diagnose debug cli 8
diag debug application fgfmd 255
diag debug enableSoftware Update view SSH
Enable the SCP copy on the FortiGate
config system global
set admin-scp enable
endscp FGT_1500D-v6.M-build2095-FORTINET.out admin@192.41.127.199:fgt-image
FGT_1500D-v6.M-build2095-FORTINET.out 100% 73MB 9.2MB/s 00:08
100-update image completed
Fortimanager look up device over CLI
diagnose dvm device list
<device> Device name or OID.
FMG # diagnose dvm device list 482489
--- There are currently 445 devices/vdoms managed ---
--- There are currently 445 devices/vdoms count for license ---
TYPE OID SN HA IP NAME ADOM IPS FIRMWARE
fmgfaz-model 482489 SN1 a-p 10.41.127.199 FGT GL-RD-MGMT 6.00741 (extended) 6.0 MR4 (2095)
|- STATUS: dev-db: modified; conf: out of sync; cond: unknown; dm: unknown; conn: link-pending; template:[installed]Location EMEA
HA cluster member: SN1 (primary); conn: link-pending
HA cluster member: SN2 (secondary model); conn: link-pending
|- vdom:[3]root flags:0 adom: MGMT pkg:[installed]FW Management Policy cli:[installed]MGMT-VDOM
--- There are currently 0 FortiAP managed ---
--- There are currently 0 FortiSwitch managed ---
--- There are currently 0 FortiExtender managed ---
--- End device list ---
Fortimanager reclaim tunnel
execute fgfm reclaim-dev-tunnel DEVNAME force <USER> <PASS>Backup Config to an usb stick
execute backup full-config usb [filename]fnsysctl is not avail a long as usb stick is inserted
fnsysctl
fnsysctl cannot be executed when external USB disk is inserted.Links
- https://community.fortinet.com/t5/FortiManager/Technical-Tip-ZTP-basic-configuration-and-troubleshooting-for-a/ta-p/211735
- https://community.fortinet.com/t5/FortiManager/Technical-Tip-ZTP-basic-configuration-and-troubleshooting-for-a/ta-p/211765
- https://docs.fortinet.com/document/fortimanager/7.4.3/cli-reference/861511/fgfm
Patrick Marc's Networks 