FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
jdvorak
Staff
Staff
Article Id 194215
Description
This article describes how to replace a FortiGate unit in the FortiManager configuration, following an RMA hardware replacement. 

This procedure ONLY applies to replacement of a FortiGate with another FortiGate of identical model.
(If upgrading a FortiGate to another model, you must add the new unit as a new device)

The procedure is generally for standalone non-HA units and it is not needed to be followed for devices in HA mode.
It is not applicable for RMA of master device, as the functional slave unit would be always promoted as the new master device during the failover.
A FortiGate slave device is replaced following a regular FortiGate procedure (whether managed by a FortiManager or not).  Once replaced, a simple Device Manager "Refresh" Connectivity action is sufficient to have the new serial number displayed within the FortiManager's Device Manager System Information Dashboard.


Solution

1) From the FortiManager's Device Manager tab, download the latest Revision History configuration file for the FortiGate unit that is being replaced.  This FortiGate configuration will be used to restore on the new replacement device.

2) Edit the FortiGate configuration file, so as to remove the FortiManager's IP address from the "central-management" configuration section (see below).  This is necessary in order to avoid the FortiGate unit from registering itself as a ‘new’ device in the FortiManager "Unregistered device" section, once it is restored on the unit:

#config system central-management
unset fmg

3) Restore this modified configuration file directly on the new FortiGate device.

4) Change the original FortiGate recorded serial number on the FortiManager unit, with the new device’s serial number, using the commands below:

#diag dvm device list

#exec device replace sn <device name> <serialnum> 

Note: <serialnum> is case-sensitive (letters used in Fortinet product serial #s are capitalized)

5) Perform a Device Manager Connectivity check or Refresh to establish the FGFM management tunnel to the FortiGate.  If it fails to establish, the tunnel can be forced by executing the following command on the FortiManager.

#exec fgfm reclaim-dev-tunnel <device name> 

Sample Configuration:

FortiGate:

#config system central-management
#unset fmg

FortiManager:

# diagnose dvm device list
--- There are currently 1 devices/vdoms managed ---

TYPE            OID    SN               HA      IP              NAME                                 ADOM                                 IPS                FIRMWARE
fmg/faz enabled 158    FGVM0XXXXXXXXXXX -       10.5.60.3       FGVM0XXXXXXXXXXX                     root                                 6.00741 (regular)  5.0 MR4 (7605)
                |- STATUS: db: not modified; conf: out of sync; cond: unknown; dm: autoupdated; conn: down
                |- vdom:[3]root flags:1 adom:root pkg:[imported] FGVM0XXXXXXXXXXX

# execute device replace sn FGVM0XXXXXXXXXXX FGVM0YYYYYYYYYYY


Contributors