Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
caunon
Staff
Staff

Created on ‎09-18-2023 04:57 AM

Article Id 274227

Technical Tip: HA is out of sync with system.admin

Description

This article describes the case in which having HA units but HA units are out of sync.

 

When going to FortiGate -> System -> HA hover the mouse over 'Not Synchronized' and it shows '1 Table Out of Sync' with 'system.admin'.
Scope FortiGate v7.2.x.
Solution

When noticing that the HA units are out of sync and when going to FortiGate -> System -> HA, the HA units are out of sync because system.admin may not be the same.

 

1.png

 

Then type the CLI commands as below to check both HA units to make sure that both HA units have the same admin user setting.

At CLI command of FW-01 HA :

 

FW-01 # config system admin

FW-01 # show

    config system admin

        edit "admin"

            set trusthost1 192.168.24.0 255.255.255.0

            set accprofile "super_admin"

            set vdom "root"

            set password-expire 2024-05-15 09:51:35

            set password ENC XXXXXXXXX

        next

        edit "testAdminUser1"

            set trusthost1 192.168.145.0 255.255.255.0

            set trusthost2 192.168.15.0 255.255.255.0

            set accprofile "super_admin"

            set vdom "root"

            set password-expire 2024-09-24 14:19:59

            set password ENC YYYYYYYYY

        next

end

 

 

At CLI command of FW-02 HA :

 

FW-02 # config system admin

FW-02 # show

    config system admin

        edit "admin"

            set trusthost1 192.168.24.0 255.255.255.0

            set accprofile "super_admin"

            set vdom "root"

            set password-expire 2024-05-15 09:51:35

            set password ENC XXXXXXXXX

        next

        edit "testAdminUser1"

            set trusthost1 192.168.145.0 255.255.255.0

            set trusthost2 192.168.15.0 255.255.255.0

            set accprofile "super_admin"

            set vdom "root"

            set password-expire 2024-09-24 15:19:59

            set password ENC YYYYYYYYY

        next

end

 

After checking FW-01 and FW-02, they have the same users. But both HA units still show 'Not Synchronized'.

Consider checking deeper with the password-expire and make sure that the date and time values of both units are the same.

 

Following FW-01 with 'testAdminUser1', it shows 'set password-expire 2024-09-24 14:19:59'.

Following FW-02 with 'testAdminUser1', it shows 'set password-expire 2024-09-24 15:19:59'.

Following the settings above, it may display that the expired value has a 1-hour difference between 14:19:59 in FW-01 and 15:19:59 in FW-02.

 

To fix the issue, it is possible to correct the setting at FW-01 via the CLI command to be the same as FW-02 as below.

 

At CLI command of FW-01

 

FW-01 # config system admin

FW-01 (admin) # edit testAdminUser1

FW-01 (testAdminUser1) # set password-expire 2024-09-24 15:19:59

FW-01 (testAdminUser1) # next

FW-01 (admin) # end

FW-01 #   

 

Then navigate to System -> HA and it should show that both FW-01 and FW-02 are 'Synchronized' units after that.

 

2.png

 

95
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.