FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to break the HA cluster and re-add the device again if there are too many checksum mismatches to correct by hand.
Scope
FortiOS.
Solution
Step 1:
Remove the network cables from the Secondary. When we disconnect the HA cables, each unit will think they are the Primary. This is to prevent a split-brain scenario, so it is very important that this is the first step.
Disconnect the HA (Heartbeat) cables. In order to restore a config file without affecting the Primary, the Secondary needs to be isolated.
Step 2:
Backup the configuration from the Primary. This will be edited so it can be applied to the Secondary.
Ensure that the priority is set correctly so that the units will not failover once the Secondary is reintroduced:
config system ha set group-id <group id> set group-name <cluster name> set hbdev <heartbeat interfaces and priority> set password <set plain-text cluster password> set priority <set a LOWER priority here to ensure the unit remains secondary> set mode <a-a or a-p, mirror from above> set override disable <recommended to ensure the new unit cannot take over as primary initially> end
Change the hostname so that it is different from the Primary unit:
config system global set hostname <name> end
Step 3:
Restore the config file to the Secondary unit. Once it comes back up, reconnect the HA cables.
The units should see each other at this point. Give them a moment to sync. Use this command to check the HA sync status:
get sys ha status
Once it is in sync, connect the network cables. The cluster will reform successfully.
