HA cluster synchronization after a configuration restore that modifies the ha configuratio

Question

Hi!

I have some doubts related with how an ha A-P cluster acts when you restore a configuration to the master of a fortigate cluster and its ha configuration doesn't match with the configuration in the slave.

In my mind, it would have sense that the cluster brokes and its firewall acts as standby, but in my test environment I have seen that the cluster goes on working perfectly with the new configuration.

I consider that this is a bad practise, because if you misrestore a configuration file of another fortigate in the same version and of the same model, you would modify the whole cluster configuration, however, if you act as I consider, you would have the slave firewall working with the last configuration and without losing service.

Can somebody help me with this topic?

Toshi_Esumi · Answer

First, what is your purpose/objective of restoring the config file(?) to the current a-p master unit? Is it to change something in bulk, or to fix something broken on the master?

In either case, I would suggest let the other unit take the master role first, isolate the original master unit from the cluster/network, restore the (modified) config file via the dedicated management interface, then disconnect the acting master from the network at the same time reconnect the intended master to the network to take it over OUTSIDE of HA operation (both are masters), then reboot (all) other units so that uptime for the intended master would be the longest. After that, you re-connect HA (heart-beat interface(s)) back to normal so the slave(s) would sync up with the master.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded