Skip to main content
ps48625
ps48625
New Member
May 25, 2021
Solved

Upgrading 600E failover pair

  • May 25, 2021
  • 3 replies
  • 8435 views

Hi

I am planning an upgrade of two (HA Pair) of 600E firewalls.  They are currently 6.08 and I will need to go through several steps to get them to required version 6.4.5.

My question is- would it be safer to shut down the switch ports on the secondary firewall and just upgrade one of the firewalls (and then upgrade the secondary firewall in a different change window) ?  If there were any unexpected issues this would enable me to fail back to the secondary firewall safely.

I have done a similar process with other vendor's firewalls but am not sure if this method is supported or advisable with Fortigate firewalls.

Many thanks

    Best answer by nomeursy

    Did upgrade a HA pair of FTG1200D’s with 140 VDOMS, 250+ VPN tunnels, running on it, last year. Patched it from 5.6.x to 6.0.8 (followed the supported upgrade path of if I remember correctly was 5 steps) But I did first break the HA and took 1 off-line (cables disconnected, WAN-LAN and HA), did the upgrades and checked after every step the config and logs. Then wen done, I swoped the cables, so the upgraded unit was handling the traffic and the other was off-line (lost about 10 seconds of traffic during the swop). Run it for 2 days, then upgraded the other unit and restored the HA. After the HA was in sync, patched the WAN and LAN cables off the off-line unit and done. Yes, double the work, but much less stress about everything was working after the upgrade. The network and connectivity could not go down for long period off time 24/7, so about 4 hiccups in connectivity of about 10 seconds spread over 2 days, it was verry much acceptable. Wouldn't do it any other way!

    3 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 25, 2021

    If your network tolerate longer downtime, you could isolate the backup in case the upgrade is not one step like your case. If one step, it's easy to swap the boot partition back if something goes wrong.

    But eventually you need to figure out what was exactly wrong with 6.4.x (6.4.6 has been released) in live. And it would double your work and time. Then finally, as long as you keep the config backup for each step, you can always flush the drive and load the whatever the version you want to go back to, then upload the saved config.

    So we never did the way you're considering. 

    ps48625
    ps48625Author
    New Member
    May 26, 2021

    Thanks very much for you reply.  Yes I think it is better to do as you suggest rather than upgrading in two change windows

    nomeursy
    nomeursyAnswer
    New Member
    July 23, 2021

    Did upgrade a HA pair of FTG1200D’s with 140 VDOMS, 250+ VPN tunnels, running on it, last year. Patched it from 5.6.x to 6.0.8 (followed the supported upgrade path of if I remember correctly was 5 steps) But I did first break the HA and took 1 off-line (cables disconnected, WAN-LAN and HA), did the upgrades and checked after every step the config and logs. Then wen done, I swoped the cables, so the upgraded unit was handling the traffic and the other was off-line (lost about 10 seconds of traffic during the swop). Run it for 2 days, then upgraded the other unit and restored the HA. After the HA was in sync, patched the WAN and LAN cables off the off-line unit and done. Yes, double the work, but much less stress about everything was working after the upgrade. The network and connectivity could not go down for long period off time 24/7, so about 4 hiccups in connectivity of about 10 seconds spread over 2 days, it was verry much acceptable. Wouldn't do it any other way!

    BK_LGW
    BK_LGW
    New Member
    July 23, 2021

    Thank you for this. We ended up breaking another HA of two 301E units and using one of those as the test unit. It'd have been easier to do the 501E production one but higher ups wanted to be cautious, which I agree with. So now the 301E is humming along on 6.4.6 with no problems thus far. I need to get some more traffic through it make sure nothing weird happens but I think it's a success. *knock on wood

    joepope
    joepope
    New Member
    August 4, 2021

    Since it is an HA cluster, the firmware upgrade takes care of both nodes.  The cluster will failover the sessions and upgrade each node.  if you block one node your cluster may get out of sync and it is a pain sometimes resolving that.  I have never had issues will firmware upgrades on the HA.  Just make a backup first.

    Terms & ConditionsAccessibility statement