Requirements.

1. All configurations must be backed up.
2. Before starting the upgrade process, make sure that both firewalls are synchronized.
3. Make sure that HA ports and data ports are defined correctly on both firewalls.
4. Check the status of IPSec tunnels on the firewall. If there are currently down IPSec tunnels, these tunnels should be noted (in order not to try to bring up the IPSec tunnel when it is seen down after the upgrade).
5. Check the status of FortiAPs on the firewall. If there are currently down FortiAPs, these FortiAPs should be noted (in order not to try to bring up the FortiAP when it is seen down after the upgrade).

Process steps:

Stop Synchronization Between Firewalls.

Run the following command on both the primary and secondary firewalls:

execute ha synchronize stop

Verify HA Functionality:

Down an unused port on the secondary firewall. Check that this port is not down on the primary firewall. Make sure that config synchronization is not working.

config system interface

    edit xxx

        set status down

next

Disable ports on the secondary firewall:

First, disable the data ports on the secondary firewall using the CLI. Then, disable the HA ports on the secondary firewall using the CLI.

config system interface

    edit xxx

        set status down

    next

    edit ha

        set status down

    next

end

Restart the secondary firewall:

Restart the secondary firewall before starting the upgrade. Make sure that there are no error crashes after the restart by using the following command:

diagnose debug config-error-log read

Upgrade the secondary firewall:

Upgrade the secondary firewall to the following version in order, from x to y.

After each upgrade step is successfully completed: check if there is any corruption in the config with the command 'diagnose debug config-error-log read'.

Re-enable Ports on Secondary Firewall:

First, enable HA ports on the Secondary firewall. Then, enable data ports on the Secondary firewall. Verify that the Secondary firewall re-establishes the HA connection with the Primary firewall. Note: It is normal to see 'HA Out of Sync' on the GUI because synchronization is stopped.

Trigger Failover on Primary Firewall:

Run the following command on the Primary firewall to redirect traffic to the Secondary firewall:

diagnose sys ha reset-uptime

Verify that traffic is successfully redirected to the Secondary firewall.

Testing and Validation:

Verify network functionality and traffic flow by performing the necessary tests. Verify that the secondary firewall, currently the primary, is working properly on version y.

Preparing for Fallback:

The primary firewall is at version x and its connections are fully operational, ready for a possible fallback scenario.

Notes:

• After HA is re-established, the hostname and time zone settings do not automatically synchronize.
• Before synchronization is restarted, it is important to make sure that the versions are the same.
• The order in which ports are opened and closed is very important; otherwise, traffic flow may be disrupted.

Conclusion:

After the upgrade is complete and all tests are successful, the network should work smoothly on the upgraded secondary firewall. The primary firewall is on standby at the old version to provide a fallback if necessary.