Is There a Commit Command

Hi there,

Regarding your first questions, yes there is an option to wait until you 'commit' a transaction, like other vendors.

It's referred to as 'workspace' mode. You need to turn it on first.

To use workspace mode:

1. Start workspace mode:

   execute config-transaction start

   Once in workspace mode, the administrator can make configuration changes, all of which are made in a local CLI process that is not viewable by other processes.

2. Commit configuration changes:

   execute config-transaction commit

   After performing the commit, the changes are available for all other processes, and are also made in the kernel.

3. Abort configuration changes:

   execute config-transaction abort

   If changes are aborted, no changes are made to the current configuration or the kernel.

See here:

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/688647/workspace-mode

Regards,

In addition to the workspace mode Mark mentioned, this behavior is present in FortiGate CLI by default:
- if you make changes via CLI, the changes are only committed when you exit that particular configuration with 'next' or 'end'

-> while you are still in the particular object you've configured, changes are not live yet

-> you can review the current configuration with 'show' before leaving the object and committing the change

- you can also exit an object with 'abort'; this will discard any changes you made instead of committing them as 'next' or 'end' would

All of this is for CLI though; for GUI the changes are only committed if you click on 'Okay', 'Apply' or similar.

Regarding undoing changes - There is no easy undo button. You can set the FortiGate to generate periodic revisions (if it has a disk, or is managed by FortiManager/FortiCloud) that you can revert to: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-save-and-restore-configuration-changes/ta-p/195879
You can also set up a scheduled backup to run every day, and could revert to an older configuration that way, but this would trigger a reboot.

You could also use FortiManager, as that will maintain a history of FortiGate configuration revisions, you can make changes to policies etc and review them before pushing out to FortiGate directly. If you have several FortiGates to look after, this might be a solution to pursue.

Regarding your HA questions:
- KB on how to troubleshoot HA sync issues: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-HA-synchronization-issue-cluster-out-of-sync/ta-p/193422
- KB on investigating checksum mismatch specifically: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshooting-a-checksum-mismatch-in-a-FortiGate/ta-p/197551

- KB for forcing synchronization: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Procedure-for-HA-manual-synchronization/ta-p/196067

I don't think we have any documentation for breaking HA sync; you could break down the HA link by physically disconnecting the units or changing the HA settings that they are a mismatch to each other, but that would likely result in a split-brain scenario (each unit assuming it's the primary).