Skip to main content
droehrig
droehrig
New Member
November 7, 2020
Question

Reboot after File System Check

  • November 7, 2020
  • 1 reply
  • 4351 views

So I am new at this (well was kinda forced into doing this) and after someone pulled the power plug on one of our 501E Fortigates (we have 2 HA) it had the warning to do a File System Check. So its came in today (Saturday) to do this. The Slave became the master. But what I want to know if when will you know when its done running a file system check? Also will it revert back to the original HA Master Slave setup before the check (will the original Master change back and take over). I am running 6.2.2 at the moment and was going to be updating as well if possible today. Any help, guidance would so greatly appreciated!

 

Thanks,

Donna

    1 reply

    boneyard
    boneyard
    Valued Contributor
    November 8, 2020

    you can only see that if you are connected to the console interface, the check itself is done before you can access the OS to check via SSH.

     

    when the message is gone you can assume it happened.

     

    as for fallback or keep on the former slave depends on your settings.

     

    default it won't fallback as it uses the uptime as one of the things to determine which firewall should be master. higher uptime is better so, the rebooted former master will be less interessting

     

    if you can perform the command below (remove infortmation you dont want to share, i.e. secret, name, ...) it should be possible to tell which mode is used.

     

    show system ha

    Markus
    Markus
    New Member
    November 9, 2020

    as boneyard mentioned, it depends on your ha settings. If you want manual controll of which device is master, set ha override enabled. The device with the higher device priority will then always change back to master.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    November 9, 2020

    If you kindly take an advice / best practice: configure both units to be equally priviledged, that is, prevent a fail-back after a failover. As both units are fully synchronized at all times, it doesn't matter at all which unit is master and which is slave. The advantage of treating them equally is that there won't be a second drop in sessions (at the very least IPsec sessions).

    So:

    [ul]
  • no "override" enabled
  • identical priority
  • identical link monitors[/ul]

     

    This whole situation IMHO is annoying. Nobody with even a basic understanding of firewalls would just pull the plug. Non-professionals should not be allowed physical access to this kind of network equipment - IT security begins with physical access control.

    • Terms & ConditionsAccessibility statement