This article explains the basic process for the firmware upgrade of a FortiAuthenticator Cluster.

FortiAuthenticator cluster (3.1 and above).


  • In a FortiAuthenticator cluster, there is an internal network that is configured to communicate with cluster members. It is called the HA management network. The default is 192.168.15.x/24 network.  A PC is required in the same network which has the FortiAuthenticator firmware image that we need to upgrade to.

  • HTTPS access is required to the management IPs on each of the cluster members.

The upgrade procedure is given below.  It should be done after hours as there will be a down time, this could be a few minutes.

1. It is recommended that no administrative or configuration changes are made between these upgrades. Because of this, expect a short down time.

2. Upgrade the secondary unit first from the management interface, wait until it comes back up.

3. When the secondary unit comes back up, both units will become standalone master because of firmware version mismatch.  This will mean that logins from the public interface may fail at this time.

4. At this point, upgrade the primary unit from the management interface.

5. After the upgrade, the cluster will be formed again and FortiAuthenticator will be in HA mode.