Introduction

Have you upgraded FortiManager to the latest version and now you can't open your ADOMs, because they are no longer supported?

I was in similar situation and I have a solution for that.

Description

Some time ago I was asked to perform FortiManager upgrade from 5.6 to 6.2. I followed an upgrade path and performed and intermediate upgrade to 6.0. Once I finished, it turned out that I can't access ADOMs:

  • root
  • Global
  • FortiCarrier
FMG# diagnose dvm adom list
There are currently 18 ADOMs:
OID STATE PRODUCT OSVER MR NAME MODE VPN MANAGEMENT IPS
2483086 enabled FOS 5.0 6 MyADOM Normal Central VPN Console 14.705
(...)
103 enabled FOC 5.0 2 FortiCarrier Normal Policy & Device VPNs 14.705
(...)
3 enabled FOS 5.0 2 root Normal Central VPN Console 14.705
10 enabled FOS 5.0 6 Global Normal Policy & Device VPNs 14.705
---End ADOM list---

Issue? They are in version 5.2 which is not supported by FMG 6.2. Even if you follow the upgrade path, ADOMs won't be upgraded and you will lose access to them once you finish.

Upgrade from GUI

A reasonable solution is to perform an upgrade. Just open settings and try to upgrade.

Of course, it won't work. You'll receive an error:

Solution

To upgrade affected ADOMs and get rid of the error, you have to reset ADOMs to default settings. If there is any precious configuration you need to preserve, make sure you have a backup. But you did that before upgrading FMG, right? 😉

Before proceeding, make sure that ADOMs are empty. Find and remove all registered and unregistered devices.

FMG# diagnose dvm device list
--- There are currently 35 devices/vdoms managed ---

TYPE            OID    SN               HA      IP              NAME                                             ADOM                                             IPS                FIRMWARE

(...)
unregistered    2488506 FGT50E2222211111 -       10.10.10.1    FGT_KRK                                       root                                             14.00703 (regular) 5.0 MR6 (1575)
                |- STATUS: dev-db: modified; conf: out of sync; cond: unregistered; dm: none; conn: unknown
                |- vdom:[3]root flags:0 adom:root pkg:[never-installed]
(...)

--- There are currently 0 FortiAP managed ---


--- There are currently 0 FortiSwitch managed ---


--- There are currently 0 FortiExtender managed ---


--- End device list ---

I have 1 unregistered device FGT_KRK. It has to be removed before I proceed:

FMG# diagnose dvm device delete root FGT_KRK

---Deleting device succeeded---

Once ADOM is clear, I can reset it to default and upgrade to the required version (in my environment, version 5.6 is desired):

FMG# execute reset adom-settings root 5 6
This operation will delete all the existing data in the ADOM.
Do you want to continue? (y/n)y

FMG# execute reset adom-settings FortiCarrier 5 6
This operation will delete all the existing data in the ADOM.
Do you want to continue? (y/n)y

Now my ADOMs are in version 5.6 (including Global) and errors are gone.

Conclusion

Before upgrading FortiManager, check its compability with FortiOS and upgrade ADOMs prior to FMG upgrade. This approach will save you time and nerves.