FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes a scenario where HA is out of sync due to a checksum difference in 'system.storage' even when both FortiGate units are on the same hardware revision. In such scenarios, it may need to be checked if it is because of a mismatch of the setting of 'exec ha ignore-hardware-revision'.
Scope
FortiGate.
Solution
This can happen after a new replacement unit is installed (such as after the RMA of the old unit with a different hardware revision). If in the former HA cluster, 'exec ha ignore-hardware-revision enable' was enabled in both FortiGates, the HA sync was good previously. But after the new replacement unit is installed, since this 'exe ha ignore-hardware-revision enable' is not enabled, it may result in HA being out of sync with checksum mismatch in 'system.storage'. For example,
system.storage: 00000000000000000000000000000000
When 'ha ignore-hardware-revision' is enabled in a FortiGate, 'system storage' checksum checking will be skipped. And this 'ha ignore-hardware-revision' is persistent during factoryreset and image upgrading.
Because of this mismatch setting of 'ha ignore-hardware-revision' in the FortiGate cluster members, HA becomes out of sync. The current status of the setting can be verified by the command 'exec ha ignore-hardware-revision status'. Then ensure both FortiGates have the same setting.
