Skip to main content
torenhof
torenhof
Explorer II
May 6, 2015
Solved

Add new member to firewall cluster

  • May 6, 2015
  • 1 reply
  • 9474 views

Hello All,

 

At a client, I have some issues adding a "newly" received fortigate 100D after one defective member has been replaced by Fortigate.

The problem is that the firewalls now have different buildnumbers and when I try to join the new member, I get the following warning:

fortinet HA cannot be formed because the internal ports of box is in different mode with this box, ...

 

I have checked the interface name and they are different on the two boxes.

On the primary node, it's name is: internal

on the received node, it's name is: lan

 

I have one backup of the primary node that has been working as standalone during a year and a half.

The current firmware version = FG100D-5.02-FW-build618-140915

I have uploaded the firmware through TFTP in the preboot menu (on received node).

 

How can I restore the HA with these two firewalls?

I need to change the cfg file of the working firewall? If so, what and where?

I can change the name of the interface on the received firewall?

 

I've been searching four a couple of days to solve this issue, and I've not been able to find the right solution yet.

 

Thanks and best regards,

 

Torenhof

 

    Best answer by AtiT

    Hello,

    According to FortiOS 5.2 Handbook:

     

    You can add a repaired or replacement unit to a functioning cluster at any time. The repaired or replacement cluster unit must: 1) Have the same hardware configuration as the cluster units. Including the same hard disk configuration and the same AMC cards installed in the same slots. 2) Have the same firmware build as the cluster. 3) Be set to the same operating mode (NAT or Transparent) as the cluster. 4) Be operating in single VDOM mode.

     

    I think the Part Number is a part of the hardware configuration.

    I checked some 100D units and found out that:

    System Part-Number: P11510-02 has internal switch ports. System Part-Number: P11510-03 has lan switch ports.

    I think you can reopen the ticket at Fortinet and ask for the part number you need and replace the unit.

     

    I am just wondering whether you are using the ports as switched ports. If not, maybe you can try to disable the switch ports and have separate ports like port1, port2, etc... Probably they will be the same on all devices.

     

    1 reply

    AtiT
    AtiTAnswer
    New Member
    May 6, 2015

    Hello,

    According to FortiOS 5.2 Handbook:

     

    You can add a repaired or replacement unit to a functioning cluster at any time. The repaired or replacement cluster unit must: 1) Have the same hardware configuration as the cluster units. Including the same hard disk configuration and the same AMC cards installed in the same slots. 2) Have the same firmware build as the cluster. 3) Be set to the same operating mode (NAT or Transparent) as the cluster. 4) Be operating in single VDOM mode.

     

    I think the Part Number is a part of the hardware configuration.

    I checked some 100D units and found out that:

    System Part-Number: P11510-02 has internal switch ports. System Part-Number: P11510-03 has lan switch ports.

    I think you can reopen the ticket at Fortinet and ask for the part number you need and replace the unit.

     

    I am just wondering whether you are using the ports as switched ports. If not, maybe you can try to disable the switch ports and have separate ports like port1, port2, etc... Probably they will be the same on all devices.

     

    torenhof
    torenhofAuthor
    Explorer II
    May 7, 2015

    AtiT wrote:

    Hello,

    According to FortiOS 5.2 Handbook:

     

    You can add a repaired or replacement unit to a functioning cluster at any time. The repaired or replacement cluster unit must: 1) Have the same hardware configuration as the cluster units. Including the same hard disk configuration and the same AMC cards installed in the same slots. 2) Have the same firmware build as the cluster. 3) Be set to the same operating mode (NAT or Transparent) as the cluster. 4) Be operating in single VDOM mode.

     

    I think the Part Number is a part of the hardware configuration.

    I checked some 100D units and found out that:

    System Part-Number: P11510-02 has internal switch ports. System Part-Number: P11510-03 has lan switch ports.

    I think you can reopen the ticket at Fortinet and ask for the part number you need and replace the unit.

     

    I am just wondering whether you are using the ports as switched ports. If not, maybe you can try to disable the switch ports and have separate ports like port1, port2, etc... Probably they will be the same on all devices.

     

    The firewall is configured to use it's ports in switched ports, so it is not realy an option.

    I will contact Fortigate once more and will request an firewall with an equal build number.

     

    Thanks for your input.

     

     

    Terms & ConditionsAccessibility statement