Appendix B - Re-establishing the FGFM tunnel after VM license migration
When migrating a FortiManager to a new license type, the serial number associated with the FortiManager is also changed. This impacts the FGFM (FortiGate to FortiManager) tunnel that exists between FortiManager and its managed FortiGate devices.
Depending on how the FortiGate was initially added to the FortiManager (through the FortiManager or through the FortiGate), you may need to manually update the password of FortiGate devices in the FortiManager database before the FGFM tunnel can be re-established.
Follow the steps below to re-establish the FGFM connection with managed FortiGate devices.
FGFM connection established through FortiManager
If the device was added from the FortiManager using the Add Device wizard, after the migration the FortiManager will automatically have the correct device's username and password and the FGFM tunnel can be immediately re-established.
To re-stablish the FGFM tunnel:
- In the FortiManager CLI, execute the following to bring the tunnel up:
execute fgfm reclaim-dev-tunnel
If the
execute fgfm reclaim-dev-tunnel
fails to establish a connection between the FortiManager and one or more FortiGate device, it is likely because the FGFM connection was originally established through the FortiGate for those devices. See FGFM connection established through FortiGate.
FGFM connection established through FortiGate
If the FGFM tunnel was initialized through the FortiGate, and FortiManager was used to promote (authorize) the device, the FortiManager may not have the device's administrator username and password. After the license migration is complete, the execute fgfm reclaim-dev-tunnel
command will not work until you have updated the FortiGate device's username and password in the FortiManager database using one of the methods described below:
To update the device's username and password in the GUI:
- Log on to the FortiManager.
- In the GUI, go to Device Manager, select the FortiGate device in the list of managed devices, and click Edit.
- Update the device's password in the Password field, and save the changes.
- Repeat this process for each FortiGate device that needs to be updated.
- In the FortiManager CLI, enter the following command to re-establish the FGFM tunnel:
execute fgfm reclaim-dev-tunnel
To update the device's username and password in the CLI:
- In the FortiManager CLI, for each FortiGate that needs to be updated enter the following command:
exec device replace pw < Device name > < FGT admin password >
. - Repeat this process for each managed device.
- Enter the following command to re-establish the FGFM tunnel:
execute fgfm reclaim-dev-tunnel
The steps above assume the use of the default Admin user. If you are using a different admin account to access the FortiGate from FortiManager, you will need to manually update the admin username as well as the password. |