How to Take Fortigate Firewalls Backup and Restore them (Firewalls are in HA Active/Passive Mode)

Question

Hi Dear Community Members,

I am bit confused to take and restore Fortigate 201F firewalls backup.

Someone clearly guide me , how we can take and backup 2 fortigate firewalls if they are operating in HA mode Primary and secondary. After backup how we can reset them and restore again backups so that previous primary remains primary only restoring backups.

--> Either we need to take backup of both firewalls--> Primary & Secondary individually or only using HA cluster ip

--> after resetting both firewalls or only primary firewall if we restore those taken backup eithe previous primary will automatically become primary and secondary will syn again?

Stephen_G · Accepted Answer

Hi atifali681,

A few points:

You do not need to take individual backups of both the Primary and Secondary units. A backup from the Primary is sufficient.
After restoring the backup on the Primary unit, the HA synchronization will ensure that the Secondary unit is updated accordingly.

If you want more information about HA configuration backups, I recommend reviewing Technical Tip: How to restore a configuration backup on a FortiGate HA cluster.

I hope that helps! Feel free to get in touch if you have further queries.

Yurisk · Answer

The configuration pf both members in HA pair is identical, except what is under config sys ha - for that you need to take note of any difference (GUI: System -> HA) (if exist). For the rest - it is enough to back up from Primary as @Stephen_G already pointed.

You didn't tell the context of restoring, but usual case is after FortiOS upgrade, then you have 2 options:

For 1 step upgrade, when FortiOS from old to new upgrades just 1 sub-version (e.g. 7.0.16 -> 7.017), the previous version of both: FortiOS and the Fortigate configuration are save to a Passive partition, and if you want to restore back - just make the Passive partition Active (on both members), and reboot both members at the same time. Some more info https://yurisk.info/2023/06/18/tips-on-upgrading-fortigate-in-ha-cluster/#_about_rollbackdowngrade
For multi-step upgrade, say 7.0.4 -> 7.0.14 - 7.0.16 -> 7.0.17, only the latest, i.e 7.0.16 FortiOS & config will be saved in Passive partition, so if you want to restore back to say 7.0.14 , best way would be - dis-assemble the cluster, downgrade each member to 7.0.14, restore config of Primary from back up when FGT had 7.0.14 (on multistep upgrade you are prompted to save each sub-step configuration as a file), and after 1st (Primary) member is with 7.0.14, and restored config and works fine - assemble cluster again by adding the 2nd member as Secondary w/o configuration, just the same FortiOS (7.0.14) and config under config sys ha.

IMPORTANT: 7.0.14 of course as an example, use current version instead. What I wrote is a general description of steps involved, not a step-by-step guide, so use it as basis to find more detailed information. Cluster downgrading is not an easy to do, so prepare diligently, including OOB access via console, "hands on desk" ready if someone need to connect to the FGT etc..

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded