- FortiGate HA will need to comply with the following criteria:
- Valid license support.
- Same hardware model.
- Same FortiGuard license entitlement.
- Same FortiOS version.
- Users upgrading the license to support more resources without following the proper steps may encounter a split-brain scenario, which will result in intermittent network disconnection.
- There will be an interruption to the user’s traffic during the upgrade process as FortiGate will restart. It is therefore recommended to perform the steps during the maintenance window.
- The process to upgrade the license on the FortiGate VM HA pair is as follows:
- Upload and import the license to the primary FortiGate. The primary FortiGate will reboot and the secondary FortiGate will take over the master role (see Technical Tip: How to upgrade a FortiGate VM license).
- Once the primary FortiGate starts successfully, quickly initiate the shutdown process by running the following command:
execute shutdown
- After the primary FortiGate has shut down, increase the resources such as CPU or memory accordingly from the hypervisor platform.
- Power up the primary FortiGate once the resources have been added.
- After the above steps are done, repeat steps A to C on the secondary FortiGate.
- Based on the console output, it is possible to see that primary FortiGate has been updated with the proper license:
- However, it is possible that the HA will not form and users will have difficulty connecting to the IP of FortiGate management GUI:
FG-Master:
FG-Slave:
This issue is called 'split-brain' and it occurs due to the mismatch of license entitlement between the primary and secondary FortiGate.
To resolve this, shut down the primary FortiGate and increase the vCPU or vRAM accordingly.
- Upload the license to the secondary FortiGate and repeat the process of shutting it down once it has been rebooted following the license import.
Power on the primary FortiGate when the secondary FortiGate is powered down.
- When the primary FortiGate is back online, it will process the traffic. Proceed to increase the vCPU or vRAM accordingly on the secondary FortiGate.
-
Power up the secondary FortiGate after configuring the above. The HA setup will start to take effect:
To view the license status, expiration date, and VM resources, run the following command:
get system status
Version: FortiGate-VM64-KVM v6.4.12,build2060,230214 (interim)
...
Serial-Number: FGVM02T**********
....
License Status: Valid
License Expiration Date: 2023-12-10
VM Resources: 1 CPU/8 allowed, 2010 MB RAM
...
To display license details, run the following command:
diagnose debug vm-print-license
SerialNumber: FGVM08**********
CreateDate: Tue Dec 10 00:57:32 2022
License expires: Thu Dec 10 00:00:00 2023
Expiry: 366
Key: yes
Cert: yes
Key2: yes
Cert2: yes
Model: 08 (11)
CPU: 8
MEM: 2147483647
To display license information from FortiGuard:
diagnose hardware sysinfo vm full
UUID: abbe****************************
valid: 1
status: 1
code: 200
warn: 0
copy: 0
received: 4604955037
warning: 4600905081
recv: 202009152207
dup:
Fields, values, and their descriptions:
Validity
0 = Invalid.
1 = Valid.
Status
0 = Startup.
1 = Success.
2 = Warning.
3 = Error.
4 = Invalid Copy.
5 = Eval Expired.
6 = Grace Period. For FortiFlex, there is a two-hour grace period before traffic is passed upon retrieving the license from FortiCare.
Code
2xx, 3xx = Success.
200 = Valid.
202 = Accepted (treated as correct response code).
4xx = Error.
400 = Expired.
401 = Duplicate.
5xx = Warning.
500 = Warning.
502 = Invalid. Cannot connect to FortiGuard Distribution Servers.
6xx = Evaluation license expired.
All other codes are errors.
|
