Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Umer221
Staff
Staff

Created on ‎10-09-2024 10:17 PM

Article Id 348217

Technical Tip: Automate the manual sync for the High Availability (HA) cluster using an automation stitch when HA out of sync is observed

Description This article describes how to automate the manual synchronization of a High Availability (HA) cluster by using an automation stitch. This ensures that whenever HA out of sync is detected, the system automatically runs a manual sync using a CLI Script.
Scope FortiGate, High Availability, Automation Stitches
Solution

Note:

This solution is not a replacement for investigating the root cause of why the FortiGate is going out of sync. The underlying issue should still be thoroughly examined.

 

When an HA cluster is out of sync, it displays the following behavior, as shown below:

 

1. HA Out Of Sync.png

 

In such a case, a manual sync can be used to keep the HA synchronized. This can be automated using an automation stitch that runs as soon as an alert is triggered indicating HA is out of sync.

 

  1. Create a New Automation Stitch

  • Go to Security Fabric -> Automation -> Create New.
  • Name the automation stitch appropriately.

 

Fabric.png

 

 

  1. Add a Trigger:
  • In the Stitch section, select Add Trigger.
  • Select 'Create' to define the trigger.

Trigger add.png

 

  1. Select 'FortiOS Event Log':
  • In the list of available triggers, select FortiOS Event Log.

 

Event.png

 

  1. Define the Trigger Based on the Event Log:
  • Set the event type to HA synchronization failed.
  • Specify the relevant log ID (LOG_ID_HA_SYNC_FAIL) and ensure it matches the exact failure conditions.

 

HA ID.png

 

  1. Confirm Trigger Selection:
  • Once the trigger is defined, select the newly created HA out of Sync trigger.

 

image - 2024-10-09T111237.235.png

 

  1. Add an Action
  • In the Stitch section, select Add Action.
  • Select Create to set up the corresponding action.

Action.jpg

  1. Select 'CLI Script':
  • From the list of available actions, choose CLI Script to execute commands automatically when the trigger is fired.

 

Script.png

 

  1. Complete CLI Script Configuration
  • Input the necessary CLI commands to synchronize the HA cluster:

Script 2.png

Script 3.png

  1. Select the Action
  • Once the CLI script is configured, select the action from the list to complete the automation stitch.

 

Final Action (2).png

Note:

The above automation script needs to be configured on both the FortiGate in the HA cluster, for both the FortiGate to be able to run the script individually.

 

Once this configuration process is complete, the system will automatically run the manual synchronization script when the HA cluster goes out of sync, ensuring minimal manual intervention.

 

Related documents:

Creating automation stitches

Use FortiGate automation stitches for alert emails

Procedure for HA manual synchronization

How to troubleshoot HA synchronization issue using GUI

FortiGate HA synchronization messages and cluster verification steps

159
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.