Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rosswakelin
New Contributor II

How to populate new ADOM with objects from an existing ADOM?

I've seem similar questions asked, but never answered adequately, so I thought I would bring it up again.

We are using FGM 5.4, and have an ADOM with all our 5.2 FGT systems, objects and policies. We are about to introduce our first 5.4 FGT into the mix, which means we HAVE to create a new ADOM on the FGM (you can't mix major versions in the same ADOM). So we have created the new (empty) ADOM, and now need to somehow get all our existing objects into it. 

One suggestion is to take a new FGT, downgrade it to 5.2, apply policies etc. from the 5.2 ADOM, upgrade the FGT back to 5.4, and then import it into the 5.4 ADOM.  Hmmm.  This might work if the policy we applied to the downgraded FGT contained ALL of the objects we need to transfer to the new 5.4 ADOM but....

FGM has this wonderful scripting interface, so there has to be (doesn't there??) a way to script dump the objects, policies etc. from our 5.2 ADOM and script import them all into the new 5.4 ADOM.  I have looked here, and gone backwards and forwards through the FGM admin and cli manuals, and for the life of me I can't see how it can be done.  With 5.4.1 about to appear on the download site, more and more organisations are going to be migrating/upgraded to the 5.4 line of code, and LOTS of people will want to do this.  I was hoping that Fortinet would have put a knowledge base article up about this, but I can't see one.

Does anyone have a "howto" on how to do this??

Thanks in advance.

1 Solution
rosswakelin

So just to clarify things, this is what I ended up doing.

Connect to the FMG CLI using a tool like putty.

Set putty to write all the output to a local log file

Chose what objects you want to dump, and what adom you want to dump them from, then use a line like:

 

execute fmpolicy print-adom-object NZ5-2 140 all

 

which in my case will dump all the address objects (the 140) out of the adom called NZ5-2. These objects will be dumped to the putty session screen, and captured to the log file.  This log file will contain the cli commands necessary to create all the objects you just dumped out.

When the command completes, stop the putty console log, which closes the log file.

 

Edit the putty log file to remove the command that you typed, which will be at the top of the file.

Also edit the putty log file to remove any commands that won't work during the import stage e.g. any reference to some of the dynamic objects, or where the syntax has changed between the old ADOM version and the new one (e.g. URL address objects). Save the putty log file using a name that means something to you.

 

Go to the FMG GUI, and select the ADOM you want to import the objects into. Select Device Manager. Click on the "Scripts" menu bar option.  Click on Import, and fill out the form to import the edited putty log file you just created.  You want to set the "Run Script On" selection to "Policy Package, ADOM Database".  click on OK to import the script.

Right click on the script, and select Run, and it will prompt you "Run script on policy package" - select "default".  Click OK.  This will execute the script in the context of the ADOM, and hopefully it will complete ok.  If it fails, you can look at the script log file and you can see where it failed (look at the end of the log file), then edit the script to fix the error and run again.  NO items will be imported if the script contains an error, even if the error is on the last command in the script - an error causes the whole script to be rolled back..

You then have to "rinse and repeat" for each of the object types you want to import into the new ADOM.

 

I hope this helps some others...

 

Ross

 

View solution in original post

7 REPLIES 7
lkorbasiewicz_FTNT

Hello,

 

To populate new ADOM with objects you may dump content of the old ADOM using the CLI command:

 

execute fmpolicy print-adom-object ADOM_ID TABLE_ID all

 

Type question mark after "execute fmpolicy print-adom-object" to list ADOMs with their IDs and then again after choosing an ADOM to see list of objects.

For example:

 

execute fmpolicy print-adom-object 3 140 all

 

will list all "firewall address" objects from "root" ADOM

Then use output of this command as CLI script to populate new ADOM.

 

Alternatively use

 

execute fmpolicy print-adom-database 3

to dump whole ADOM in a text form and remove parts you don't necessarily need before populating an ADOM.

 

Best Regards,

Lukasz Korbasiewicz

Fortinet EMEA TAC Level 2

Fortinet NSE7 Certified

To reach support on call:

http://www.fortinet.com/support/contact_support.html

 

Helpful links:

http://kb.fortinet.com

http://video.fortinet.com

http://docs.fortinet.com

Lukasz Korbasiewicz,

Fortinet TAC Support

rosswakelin

So just to clarify things, this is what I ended up doing.

Connect to the FMG CLI using a tool like putty.

Set putty to write all the output to a local log file

Chose what objects you want to dump, and what adom you want to dump them from, then use a line like:

 

execute fmpolicy print-adom-object NZ5-2 140 all

 

which in my case will dump all the address objects (the 140) out of the adom called NZ5-2. These objects will be dumped to the putty session screen, and captured to the log file.  This log file will contain the cli commands necessary to create all the objects you just dumped out.

When the command completes, stop the putty console log, which closes the log file.

 

Edit the putty log file to remove the command that you typed, which will be at the top of the file.

Also edit the putty log file to remove any commands that won't work during the import stage e.g. any reference to some of the dynamic objects, or where the syntax has changed between the old ADOM version and the new one (e.g. URL address objects). Save the putty log file using a name that means something to you.

 

Go to the FMG GUI, and select the ADOM you want to import the objects into. Select Device Manager. Click on the "Scripts" menu bar option.  Click on Import, and fill out the form to import the edited putty log file you just created.  You want to set the "Run Script On" selection to "Policy Package, ADOM Database".  click on OK to import the script.

Right click on the script, and select Run, and it will prompt you "Run script on policy package" - select "default".  Click OK.  This will execute the script in the context of the ADOM, and hopefully it will complete ok.  If it fails, you can look at the script log file and you can see where it failed (look at the end of the log file), then edit the script to fix the error and run again.  NO items will be imported if the script contains an error, even if the error is on the last command in the script - an error causes the whole script to be rolled back..

You then have to "rinse and repeat" for each of the object types you want to import into the new ADOM.

 

I hope this helps some others...

 

Ross

 

lkorbasiewicz_FTNT

Hi Ross,

 

That's really nice, detailed step-by-step guide. Thanks for posting it here.

 

Best Regards,

Lukasz Korbasiewicz

Lukasz Korbasiewicz,

Fortinet TAC Support

rosswakelin

Glad I could help.  What we need now is for Fortinet to pick up this article, add some screen shots and turn it into a knowledge base article.  Like a lot of stuff with the Fortinet products, there is a way of doing all sorts of cool stuff, but the manual is very dry and specific, and what we really need is a lot more "howto" type examples that cover the everyday activities that we need to do.  The cookbook is a good start, but is nowhere near comprehensive enough.

FlavioB
New Contributor III

Hi Ross.

Interesting feedback and detailed instructions... now... what about dynamic object mappings? How did you handle those?

I'm in the middle of a similar task: 5.2 ADOM with both 5.2 and 5.4 FGTs (because I started upgrading). As many FGTs will remain on 5.2 (60C), I need to split it up. My plan is this (besides backing up the whole config before starting):

[ol]
  • dump everything I need from the actual 5.2 ADOM (I'd say objects from the CLI and policy packages from the GUI, which offers the export feature);
  • remove everything related to the 5.4 FGTs in the dump text file;
  • move all 5.2 FGTs to the new 5.2 ADOM;
  • run the script with the dumped material on the new 5.2 ADOM;
  • import policy packages from the GUI into the new 5.2 ADOM;
  • upgrade the "former" 5.2 ADOM to 5.4 (as it will only contain 5.4 FGTs).[/ol]

     

    What do you think about the above?

     

    BR,

    Flavio.

  • PPA
    New Contributor

    Guys "execute fmpolicy print-adom-object" command output comes without core commands like (config antivirus profile config firewall address etc.) Script doesnt work without there "core" commands. How do you run the script?

    chall_FTNT

    FMG 5.4: FMG-VM64-HV # exec fmpolicy print-adom-object root ? id      <category name>   all   "Dump all categories" ...  1420   "antivirus profile" ...   140   "firewall address"

    Chris Hall
    Fortinet Technical Support
    Labels
    Top Kudoed Authors