FortiAuthenticator provides access management and single sign on.
Article Id 267707

This article describes the upgrade procedure of the FortiAuthenticator HA cluster for individual nodes. 

Scope FortiAuthenticator in HA pair configured as Active-Passive Cluster. Upgrade on each FortiAuthenticator cluster member individually from GUI.

The scenario is when a coordinated upgrade fails or is not possible, what are the best practices and how to avoid split brain.


Here it the two Fortiauthenticators on firmware version 6.5.1 and it is wanted to upgrade them to firmware version 6.5.3:




  1. Connect to the FortiAuthenticator Active unit and start the firmware upgrade.
    System > Administration > Firmware Upgrade. Select Upload a file to upload the new firmware image and then select OK.



  1. The following confirmation dialog will be displayed. Select OK.




  2. Uploading of the firmware starts:



  3. After the firmware is uploaded another screen appears. Choose HA Upgrade type Single and click 'Backup and Upgrade'.




  4. The following message indicates that the upgrade process has started.



    The device reboots. While the active member device is rebooting, the standby member becomes the active member.



  5. Start the firmware upgrade on the new active member (former standby device).

    To upgrade the slave HA member, connect to the device using the HA cluster member IP address as defined in the GUI menu below :




  6. Repeat the same steps performed on the previous unit.






    The device reboots. After both devices have rebooted, the original active member becomes the active device, while the standby member returns to being the standby device based on the assigned priorities.


    Note: If the primary device finished rebooting before the secondary unit starts the firmware upgrade process, which can be as short as 30 seconds it can cause a so-called 'split brain' scenario due to a firmware mismatch.






    Split brain: Both devices are claiming to be active cluster members.




How to fix it?

  1. Reboot or Shutdown the active cluster member to which has access.
  2. Start the firmware upgrade to the required version so that both devices have the same version.
  • The device reboots.
  • After both devices reboot the primary unit will become the Active member as per the assigned priority (high).




Note: If choosing to reboot and it happens always before the upgrade starts on the secondary device it will cause an endless looping into a split-brain scenario. 

The only option left will be to have physical access to the device in the case of hardware one or have access to the VM Machine in the case of FortiAuthenticator-VM.


  • Shut down the primary device and keep it down until the secondary unit starts the upgrade process.
  • When the upgrade process on the secondary device starts, turn the primary device on.
  • Wait for 3-5 minutes until the cluster is formed again.
  • Verify the HA status on the primary device GUI.



Peer status:




Related documents:

Upgrading the firmware.

High availability.