Fortinet black logo

Checking FortiManager databases

Checking FortiManager databases

Before upgrading, it is recommended that you check the integrity of FortiManager databases using the following CLI commands. If you find any errors, you can fix the errors before the upgrade.

  • If you need to fix database errors, back up before making any changes. See Backing up configuration files and databases.
  • Before running integrity check commands, ensure only one admin is logged in and no objects are locked.
  • If workspace mode is enabled, you must unlock all ADOMs before running any integrity commands. For information on workspace mode, see the FortiManager Administration Guide.

This section starts with CLI commands that you can use for all versions of FortiManager. However, some of the CLI commands listed later in this section are available only for some versions of FortiManager. The following sections identify CLI commands that are version-dependent:

diagnose pm2 check-integrity all

Check the integrity of the Policy Manager database by using the following command:

diagnose pm2 check-integrity all.

The diagnose pm2 check-integrity all command only detects errors. It cannot correct errors. If any errors are found, the only option is to restore from the last good backup before upgrading.

Example 1 with error:

FMG-VM64 # diagnose pm2 check-integrity all

--- pragma integrity_check adom db ---

Error: database disk image is malformed

pragma integrity_check fails: /var/pm2/adom153

>>> total: 10 failed: 1

Example 2 without error:

FMG-VM64 # diagnose pm2 check-integrity all

--- pragma integrity_check adom db ---

--- total: 15 ok.

--- pragma integrity_check device db ---

--- total: 1 ok.

--- pragma integrity_check global db ---

--- total: 2 ok.

--- pragma integrity_check ips db ---

--- total: 3 ok.

--- pragma integrity_check task db ---

--- total: 1 ok.

--- pragma integrity_check ncmdb db ---

--- total: 18 ok.

diagnose dvm check-integrity

Check the integrity of the Device Manager database by using the following command:

diagnose dvm check-integrity.

Example 1 with error:

FMG-VM64 # diagnose dvm check-integrity

[1/8] Checking object memberships ... correct

[2/8] Checking device nodes ... 0 change(s) will be made (263 error(s))

[3/8] Checking device vdoms ...

...

The above changes will be made to the database, however it is recommended to perform a backup first.

Do you want to continue? (y/n)

Example 2 without error:

FMG-VM64 # diagnose dvm check-integrity

[1/8] Checking object memberships ... correct

[2/8] Checking device nodes ... correct

[3/8] Checking device vdoms ... correct

[4/8] Checking duplicate device vdoms ... correct

[5/8] Checking device ADOM memberships ... correct

[6/8] Checking groups ... correct

[7/8] Checking group membership ... correct

[8/8] Checking task database ... correct

diagnose cdb check adom-integrity

Check the integrity of ADOM configurations in the database by using the following command:

diagnose cdb check adom-integrity.

This command does not work on version 5.4.3 or versions earlier than 5.2.11.

Example 1 with error:

FMG-VM64 # diagnose cdb check adom-integrity

General updating - adom FWF_LAB ... ..100% Ready to update

General updating - adom FWF_Root ... ..100% Ready to update

General updating - adom root ... ..100% An error has occured: (errno=33):duplicate

If the update check returns an error, please contact Fortinet Support for assistance.

Example 2 without error:

FMG-VM64 # diagnose cdb check adom-integrity

General updating - adom FWF_Root ... .......90%..100% Ready to update

General updating - adom FWF_ADOM_50 ... .......90%..100% Ready to update

General updating - adom FWF_ADOM_52 ... ...........90%..100% % Ready to update

General updating - adom root ... ...100% Ready to update

diagnose cdb check policy-packages

Check the integrity of the policy packages by using the following command:

diagnose cdb check policy-packages.

Example 1 with error:

FMG-VM64 # diagnose cdb check policy-packages

Adom VPNConsole

[1/4] Checking Scope ... correct

[2/4] Checking Dynamic mappings ... 2 change(s) will be made

[3/4] Checking Policy package settings ... correct

[4/4] Checking Undeleted objs ... correct

Adom root

[1/4] Checking Scope ... correct

[2/4] Checking Dynamic mappings ... correct

[3/4] Checking Policy package settings ... correct

[4/4] Checking Undeleted objs ... correct

The above change(s) will be made to the database, however it is recommended to perform a backup first.

Do you want to continue? (y/n)

Example 2 without error:

FMG-VM64 # diagnose cdb check policy-packages

Adom FG54

[1/4] Checking Scope ... correct

[2/4] Checking Dynamic mappings ... correct

[3/4] Checking Policy package settings ... correct

[4/4] Checking Undeleted objs ... correct

Adom root

[1/4] Checking Scope ... correct

[2/4] Checking Dynamic mappings ... correct

[3/4] Checking Policy package settings ... correct

[4/4] Checking Undeleted objs ... correct

When upgrading from 5.6.1 and later

This section describes the commands that you can use when upgrading to FortiManager 6.0.7 from 5.6.1 and later versions.

diagnose cdb upgrade check +all

Check the integrity of object configuration database, reference table, ADOM database, DVM database, and invalid policy package and template installation targets by using the following command:

diag cdb upgrade check +all

This command does not work on version 5.6.0 or earlier.

Example

FMG-VM64 # diag cdb upgrade check +all

Checking: Object config database integrity

No error found.

Checking: Reference table integrity

No error found.

Checking: Repair invalid object sequence

No error found.

Checking: Reassign duplicated uuid in ADOM database

No error found.

Checking: Resync and add any missing vdoms from device database to DVM database

No error found.

Checking: Invalid policy package and template install target

No error found.

When upgrading from 5.6.0

This section describes the commands that you can use when upgrading to FortiManager 6.0.7 from 5.6.0.

diagnose cdb check objcfg-integrity

Check the integrity of the object configuration database table by using the following command:

diagnose cdb check objcfg-integrity.

Example:

FMG-VM64 # diagnose cdb check objcfg-integrity

Checking object config database table columns ... correct

diagnose cdb check reference-integrity

Check the integrity of the ADOM reference table by using the following command:

diagnose cdb check reference-integrity.

Example:

FMG-VM64 # diagnose cdb check reference-integrity

Checking reference table integrity ... correct

Checking FortiManager databases

Before upgrading, it is recommended that you check the integrity of FortiManager databases using the following CLI commands. If you find any errors, you can fix the errors before the upgrade.

  • If you need to fix database errors, back up before making any changes. See Backing up configuration files and databases.
  • Before running integrity check commands, ensure only one admin is logged in and no objects are locked.
  • If workspace mode is enabled, you must unlock all ADOMs before running any integrity commands. For information on workspace mode, see the FortiManager Administration Guide.

This section starts with CLI commands that you can use for all versions of FortiManager. However, some of the CLI commands listed later in this section are available only for some versions of FortiManager. The following sections identify CLI commands that are version-dependent:

diagnose pm2 check-integrity all

Check the integrity of the Policy Manager database by using the following command:

diagnose pm2 check-integrity all.

The diagnose pm2 check-integrity all command only detects errors. It cannot correct errors. If any errors are found, the only option is to restore from the last good backup before upgrading.

Example 1 with error:

FMG-VM64 # diagnose pm2 check-integrity all

--- pragma integrity_check adom db ---

Error: database disk image is malformed

pragma integrity_check fails: /var/pm2/adom153

>>> total: 10 failed: 1

Example 2 without error:

FMG-VM64 # diagnose pm2 check-integrity all

--- pragma integrity_check adom db ---

--- total: 15 ok.

--- pragma integrity_check device db ---

--- total: 1 ok.

--- pragma integrity_check global db ---

--- total: 2 ok.

--- pragma integrity_check ips db ---

--- total: 3 ok.

--- pragma integrity_check task db ---

--- total: 1 ok.

--- pragma integrity_check ncmdb db ---

--- total: 18 ok.

diagnose dvm check-integrity

Check the integrity of the Device Manager database by using the following command:

diagnose dvm check-integrity.

Example 1 with error:

FMG-VM64 # diagnose dvm check-integrity

[1/8] Checking object memberships ... correct

[2/8] Checking device nodes ... 0 change(s) will be made (263 error(s))

[3/8] Checking device vdoms ...

...

The above changes will be made to the database, however it is recommended to perform a backup first.

Do you want to continue? (y/n)

Example 2 without error:

FMG-VM64 # diagnose dvm check-integrity

[1/8] Checking object memberships ... correct

[2/8] Checking device nodes ... correct

[3/8] Checking device vdoms ... correct

[4/8] Checking duplicate device vdoms ... correct

[5/8] Checking device ADOM memberships ... correct

[6/8] Checking groups ... correct

[7/8] Checking group membership ... correct

[8/8] Checking task database ... correct

diagnose cdb check adom-integrity

Check the integrity of ADOM configurations in the database by using the following command:

diagnose cdb check adom-integrity.

This command does not work on version 5.4.3 or versions earlier than 5.2.11.

Example 1 with error:

FMG-VM64 # diagnose cdb check adom-integrity

General updating - adom FWF_LAB ... ..100% Ready to update

General updating - adom FWF_Root ... ..100% Ready to update

General updating - adom root ... ..100% An error has occured: (errno=33):duplicate

If the update check returns an error, please contact Fortinet Support for assistance.

Example 2 without error:

FMG-VM64 # diagnose cdb check adom-integrity

General updating - adom FWF_Root ... .......90%..100% Ready to update

General updating - adom FWF_ADOM_50 ... .......90%..100% Ready to update

General updating - adom FWF_ADOM_52 ... ...........90%..100% % Ready to update

General updating - adom root ... ...100% Ready to update

diagnose cdb check policy-packages

Check the integrity of the policy packages by using the following command:

diagnose cdb check policy-packages.

Example 1 with error:

FMG-VM64 # diagnose cdb check policy-packages

Adom VPNConsole

[1/4] Checking Scope ... correct

[2/4] Checking Dynamic mappings ... 2 change(s) will be made

[3/4] Checking Policy package settings ... correct

[4/4] Checking Undeleted objs ... correct

Adom root

[1/4] Checking Scope ... correct

[2/4] Checking Dynamic mappings ... correct

[3/4] Checking Policy package settings ... correct

[4/4] Checking Undeleted objs ... correct

The above change(s) will be made to the database, however it is recommended to perform a backup first.

Do you want to continue? (y/n)

Example 2 without error:

FMG-VM64 # diagnose cdb check policy-packages

Adom FG54

[1/4] Checking Scope ... correct

[2/4] Checking Dynamic mappings ... correct

[3/4] Checking Policy package settings ... correct

[4/4] Checking Undeleted objs ... correct

Adom root

[1/4] Checking Scope ... correct

[2/4] Checking Dynamic mappings ... correct

[3/4] Checking Policy package settings ... correct

[4/4] Checking Undeleted objs ... correct

When upgrading from 5.6.1 and later

This section describes the commands that you can use when upgrading to FortiManager 6.0.7 from 5.6.1 and later versions.

diagnose cdb upgrade check +all

Check the integrity of object configuration database, reference table, ADOM database, DVM database, and invalid policy package and template installation targets by using the following command:

diag cdb upgrade check +all

This command does not work on version 5.6.0 or earlier.

Example

FMG-VM64 # diag cdb upgrade check +all

Checking: Object config database integrity

No error found.

Checking: Reference table integrity

No error found.

Checking: Repair invalid object sequence

No error found.

Checking: Reassign duplicated uuid in ADOM database

No error found.

Checking: Resync and add any missing vdoms from device database to DVM database

No error found.

Checking: Invalid policy package and template install target

No error found.

When upgrading from 5.6.0

This section describes the commands that you can use when upgrading to FortiManager 6.0.7 from 5.6.0.

diagnose cdb check objcfg-integrity

Check the integrity of the object configuration database table by using the following command:

diagnose cdb check objcfg-integrity.

Example:

FMG-VM64 # diagnose cdb check objcfg-integrity

Checking object config database table columns ... correct

diagnose cdb check reference-integrity

Check the integrity of the ADOM reference table by using the following command:

diagnose cdb check reference-integrity.

Example:

FMG-VM64 # diagnose cdb check reference-integrity

Checking reference table integrity ... correct