Upgrade Fortigate Active-Passive

hello, upgrading an a/p cluster should work like you stated: as you can only interact with the active cluster member, upgrading is done internally by the FGT master. First, when the config is synched, the master transfers the firmware image onto the slave, the slave reboots and assumes the master role. Then, the prior master is upgraded and rebooted. Depending on your settings, the prior master either is promoted to master again or the cluster is left as is. At no point an active internet connection is needed. If you' ve tried to upgrade, and the upgrade didn' t succeed, then please post the error message(s) you' ve got. Best practice says: 1. reboot the cluster BEFORE upgrading (to eliminate possible memory leaks). 2. if you want the master to stay master, set it' s HA priority higher than the slave' s. With both priorities equal you avoid one reboot thus maximizing uptime. 3. In ancient times, upgrading a cluster was best done by splitting it up, doing it member by member and re-forming the cluster afterwards. That is unnecessary today, from FortiOS 4.2 and younger on.

Ditto on the above with one more suggested step. Make a backup of the configuration b4 you continue with the upgrade process. THe upgrade should be hit-less for the most part if you following the above. SSLvpn client will have to re-neg but outside of that, nothing to serious.

Hello, Thanks for the reply, we upgrade the firewalls without any problems. We use the following setting, config system ha set uninterruptable-upgrade disable end and then both Fortigates will be upgrade with the new firmware. Regards,

to upgrade without interrupting the users, you need to install a hub/switch between the firewalls and your internet connection. We use a small switch set in hub mode (layer 2 traffic only) like this: port 1 = Master (active) port 2 = Slave (passive) port 8 = Internet Router By using layer 2 mode, we do not need to change the ip addresses on the external interface of the firewall. When you put two or more fortigates into HA mode, they clone the MAC addresses so both units are the same MAC and IP address. The slave will communicate with the master through the HA connection. With this setup, when you upgrade with uninterruptable-upgrade enabled, all of the traffic will be routed through the master while the slave updates, then the slave takes over as master while the previous master gets updated. You were not able to do this since your slave has no internet connection.

Now I understand " not having an internet connection" ! I' ve never thought you didn' t have switches for the firewall ports. For every firewall port in use, you need 3 switch ports: fw1, fw2 and where it connects to. Small 5port switches come in handy here like those from Netgear (w/ metal case). So at least you spend 2 small switches (in and out ports), for the reliability of automatic failover. Just think of a failure at Saturday night... This is the recommended design of a HA cluster (see Fortinet HA Guide). IMHO setting up HA doesn' t really make sense without connecting the cluster members. You only gain automatic config synchronization. In bigger installations and with more firewall ports in use, you could use just one 24port switch which you segment into compartments via internal VLANs. Glad that the upgrade worked for you. It' s really reliable and almost never needs precautions.