|
As a primer, 'on-demand' mode for the Internet Service Database was added in FortiOS v7.2.4 for memory optimization, as it allowed the FortiGate to only download and update Internet Service objects that were actively in use. Refer to the article Technical Tip: Internet-service-database: On-demand for more information.
In FortiOS v7.2, v7.4.9, v7.6.3, and earlier, after performing an Internet Service update on the primary device of a FortiGate HA cluster, the secondary device does not sync the updated Internet Service database if set internet-service-database on-demand is configured.
config system global
set internet-service-database on-demand
end
HA Primary FortiGate:
FGT-A # diagnose autoupdate versions | grep Internet -A 5
Internet-service On-Demand Database
---------
Version: 7.04375
Contract Expiry Date: n/a
Last Updated using manual update on Mon Nov 17 08:05:02 2025
Last Update Attempt: Mon Nov 17 08:05:02 2025
HA Secondary FortiGate:
FGT-B # diagnose autoupdate versions | grep Internet -A 5
Internet-service On-Demand Database
---------
Version: 0.00000
Contract Expiry Date: n/a
Last Updated using manual update on Mon Nov 17 08:05:02 2025
Last Update Attempt: Mon Nov 17 08:05:02 2025
Issue:
When an HA failover occurs, traffic may continue to be impacted for longer than expected for any firewall policies with Internet Services configured until the Internet Service database is updated manually on the new primary unit. This behavior occurs because of an issue preventing the HA Primary from pushing the on-demand Internet service file to the Secondary. Notably, this issue does not cause a configuration checksum difference, and so the cluster will show as 'in-sync' even if the secondary is affected and has an outdated or empty Internet Service Database.
Resolution:
The issue is tracked by Known Issue 1160292 and it is resolved in FortiOS v7.6.4.
The issue will also be fixed in future releases v.7.4.10 and v8.0.0.
FortiOS v.7.4.10 is expected to be officially released by mid January.
FortiOS v.8.0.0 is expected to be officially released by mid March.
Workaround:
For devices running affected firmware, perform a controlled failover to the secondary device during a maintenance window and update the internet service database manually using the following CLI command. Allow several minutes for the update to complete.
execute update-ffdb-on-demand
See the article Technical Tip: Different options to trigger an HA failover (FGCP) for how to trigger HA failover depending on the cluster configuration.
Note that after applying the workaround, future Internet Service database updates on the current secondary device will continue to fail. However, the expected impact of failing over to a device with an out-of-date Internet Service database is greatly reduced compared to the expected impact of failing over to a device with an empty one.
Notes:
- If no Internet Service objects are in use, then it is expected that both cluster devices to show an empty Internet Service database.
- The issue only occurs when the Internet Service database mode is configured as on-demand (other modes are not impacted):
FGT-A # config system global
FGT-A (global) # set internet-service-database ?
mini Small sized Internet Service database with very limited IP addresses.
standard Medium sized Internet Service database with most IP addresses.
full Full sized Internet Service database with all IP addresses.
on-demand Internet Service database with customer selected IP addresses.
|
