Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jdelafuente_FTNT
Staff
Staff

Created on ‎02-06-2023 10:54 PM Edited on ‎01-14-2024 09:40 PM By Community Manager

Article Id 244835

Technical Tip: An alternative way to recover HA Sync

Description

 

This article describes an alternative way to recover HA Sync Status in a FortiGate Cluster, using a backup configuration file modified.

 

Scope

 

FortiGate, Cluster, HA.

 

Solution

 

Sometimes, the HA cluster goes into the un-sync mode, due to a non-modifiable configurations, (for example a UUID or system objects).

 

This method helps to solve.

 

Prerequisites:

  • Physical access to the cluster.
  •  Serial console cable.
  •  Identify ports and cables connected (label if needed).
  •  Super admin account credentials, IP, and port for management.

 

Preparation of modified file:

  • Access to the current primary FortiGate GUI and download a configuration file backup.
  • Access to current secondary Fortigate CLI and take note of the following configurations:
 
show system global <----- Hostname and alias.
show system ha<----- Priority, Management and override status*.
show system interface "interface_name" <----- All management interfaces.
 
  • Open Primary's configuration file with a text editor (notepad++), replace all the above configurations for Secondary unit, and save it as a new file.

 

Procedure:
  1.  Connect to the secondary FortiGate using a serial console cable.**
  2.  Execute command and confirm command:
 
execute factoryreset
 
  •  While restarting, disconnect network cables from the Fw-Slave (Optional***).
 
  1.  Configure the laptop ethernet IP with 192.168.1.20/255.255.255.0 no gateway neither DNS is needed.
  2. Connect the ethernet cable between the laptop and the default management port of FortiGate. (mgmt or port1, may vary depending of the model).
  3. Access to the secondary FortiGate GUI with default values:
 
https://192.168.1.99
user: admin
password: blank
 
  1. Restore the configuration using the modified backup file.
  2.  If possible, keep connected to the wireless network and access cluster GUI to check HA status.
  • Once rebooted, change the laptop's NIC address, connect to internal, and validate the hostname, and HA priority. (Optional, only 2.1) has been followed).
  • Turn off Fw-Slave again, reconnect cables, and power on. (Optional, only if 2.1) has been followed).
  1. After a few minutes, the cluster should show up and be in sync.

 

Important notes:

* If override is enabled be sure priority in secondary is slower than primary.

** Can use SSH but be careful to change between primary and secondary administration.

*** It is always better to recover and validate configurations before rebuilding HA.

1840
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.