| Description | This article describes the steps to change the HA password in a FortiGate High Availability cluster, and what to expect after the password change. |
| Scope | FortiGate. |
| Solution |
In a FortiGate High Availability cluster, the HA password should be the same on all FortiGates of the cluster (Primary and Secondary). When the password needs to be changed, need to ensure the new password is updated on all FortiGates in the cluster. This article describes how to perform this password change with the least impact on services.
Prerequisite: Ensure both the FortiGates are fully in sync before starting the password change procedure. Take a backup of the Primary FortiGate configs.
Procedure:
From the GUI of the Primary FortiGate, enter the new password under System -> HA -> Edit (Primary) -> High-Availability -> Cluster Settings -> Password -> Change.
The same can be done from CLI as shown below:
FortiGate-HA-1 # config system ha FortiGate-HA-1(ha) # set password <new-password> FortiGate-HA-1(ha) # end
The new HA password is automatically synced to Secondary FortiGate. A re-election is expected to occur, but no split-brain. The previous primary unit will remain primary (assured if override is enabled, and if it is disabled then the new primary is elected based on the HA election process described in this article). About 1-2 seconds of connectivity loss could be expected after the password change activity, depending on how fast the primary synchronizes the change to the secondary.
FortiGate-HA-1 # get sys ha status
Use the suggestions shared in the below two articles to make the FortiGates fully sync with each other. Troubleshooting Tip: How to troubleshoot HA synchronization issue using GUI Technical Tip: Procedure for HA manual synchronization
If the FortiGates continue to be out of sync even after following the above suggestions, then do not change the HA password directly on the Primary FortiGate as this could cause a split-brain scenario (i.e. both units become Primary). Use the steps below to isolate the Secondary FortiGate from the cluster in a maintenance window and make the HA password changes:
Note: Take a backup of the Primary Fortigate before proceeding. Ensure physical access to both the FortiGates is available.
Step 1: Power off the Secondary FortiGate. Step 2: Disconnect the HA cables and all the other cables from the Secondary FortiGate (after ensuring the cables are labeled to be used in steps 6 & 7). Step 3: On the Primary FortiGate GUI, go to System -> HA and verify there is only one FortiGate in the HA cluster. Now change the HA password from System -> HA -> Edit (Primary) -> High-Availability -> Cluster Settings -> Password -> Change (or use the CLI to change the password). Step 4: Power on the Secondary FortiGate. Step 5: Log in to the Secondary FortiGate by connecting to its management port or through the console port. Change the HA password on this unit (the same password used in Step 4 on the Primary unit). Ensure the password matches before going to the next step. Step 6: Reconnect the HA cables and verify the Second unit joins the HA cluster. On the primary unit, verify both the units are listed under System -> HA and that they are in sync. Step 7: Reconnect all the remaining cables of the Secondary unit.
Note: In Step 6, if the HA units are still not in sync after reconnecting the cables, then the secondary unit needs to be factory reset and its HA config rebuilt (follow the steps in the section 'Isolate secondary unit and rebuild HA config' in Troubleshooting Tip: How to troubleshoot HA synchronization issue using GUI) so that the config is re-synchronized from scratch.
Related article: Technical Tip: FortiGate HA Primary unit selection process when override is disabled vs enabled |
