Enquiry about missing analysis and delay during FortiSandbox firmware upgrade

Hi all,

Greetings everyone!

I'd like to verify FortiSandbox behavior which is integrated with FortiMail.

Scenario : FortiMail is integrated with FSA1(Primary) – FSA2(Slave) – FSA3(Worker).

When upgrading FSA firmware, devices with operations in the queue cannot send samples to VMs to scan and are expected to wait for the upgrade to complete. As a consequences, FortiMail has a scan timeout and delivers or quarantines mail. 

But the customer wants the service to be uninterrupted without missing analysis and delay during firmware upgrade.

Q1. When the master device distributes jobs, is it possible to not distribute jobs to specific HA node?

Q2. Is there any other way to prevent missing analysis and mail delays when upgrading device with analysis queues?

Q3. I understand that when upgrading firmware, sandboxes need to upload a rating engine.

Which of the following is the most preferred upgrade best practice?

1. Every time (3.1.3 > 3.1.4 > 3.2.0 +Uploading a rating engine> 3.2.3 + Uploading a rating engine> 4.0.2 b0074+Uploading a rating engine > 4.0.2 b4125 +Uploading a rating engine)

2. Once (3.1.3 > 3.1.4 > 3.2.0 > 3.2.3 > 4.0.2 b0074 > 4.0.2 b4125 + Uploading a rating engine)

Any input or insights would be greatly appreciated!