FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
It's possible to check if the checksums are matching during this debug output Disable debugging once the Backup units are in sync with the Master unit or the capturing of logs is completed:
# diag debug disable # diag debug reset
3) Manual synchronization
In certain specific scenarios, the cluster fails to synchronize due to some elements in the configuration. To avoid rebuilding the cluster, compare the configurations and perform the changes manually.
a) Obtain the configurations from both units clearly marked as Master and Backup.
Make sure the console output is standard (no '---More---' text appears*), log the ssh output, and issue the command 'show' in both units**. Note*: To remove paginated display:
# config system console
set output standard
Note**: Do NOT issue 'show full-configuration' unless necessary.
b) Use a comparison tool to check the two files side-to-side(ie. Notepad++ with the 'Compare' plugin).
c) Certain fields can be ignored (hostname, SN, interface dedicated to management if configured, password hashes, certificates, HA priorities and override settings, and disk labels).
d) Perform configuration changes in CLI on Backup units to reflect the Master config; if errors occur and they are explanatory, act accordingly. If they are not explanatory and the config can’t be changed (added/deleted), make sure these errors are logged and presented in a TAC case.
After all, the changes outlined in the comparison are corrected, check for cluster status once again.
4) Restart the ha daemons / restart the units, one by one.
Note: This step requires a maintenance window and might need physical access to both units, as it can affect the traffic
In case there is no output generated in hasync debug or hatalk debug, a restart of these daemons may be needed. This can be done by running the following commands on each unit at a time:
# diag sys top <----- Note: the process ID of hasync and hatalk
This happens in the situation the hasync can’t communicate properly with the other unit. What can be done: - make sure the units are running the same firmware #get system status - reboot both units one at a time, starting with the Slave
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.