- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNDR
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiScan
- FortiSandbox
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- Wireless Controller
- FortiWeb
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- Customer Service
- Community Groups
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Troubleshooting Note : FortiGate HA synchronizatio...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
Step 2
2.2 : Output example from the Slave
FGT300-2 (global) # get system ha status
Step 3
3.2 : Getting the HA checksums on the Slave (and compare with the Master):
FGT300-2 (global) # diagnose sys ha showcsum
Any checksum difference between Master and Slave will depict a synchronization problem. Configuration synchronization can be forced with the command:
FGT300-5 (global) # execute ha synchronize config
Should any further problems be experienced, it is recommend to open a ticket with the Fortinet TAC and attach the information that has been gathered.
Scope
This article describes a simple procedure to verify if FortiGate devices in an HA cluster are all synchronized.
Note that all commands are passed in global mode if VDOMs are enabled (as shown in the following examples).
Note that all commands are passed in global mode if VDOMs are enabled (as shown in the following examples).
The following commands are listed in this article:
- get system ha status
- diagnose sys ha showcsum
- execute ha synchronize config
- execute ha manage <id>
Reminder: The following command can be used to connect to the Slave device CLI from the Master CLI:
FGT300-5 (global) # execute ha manage <id>
....where <id> is the the subsidiary unit listed with the command "execute ha manage ?"
Step 1
FGT300-5 (global) # execute ha manage <id>
....where <id> is the the subsidiary unit listed with the command "execute ha manage ?"
Step 1
At the initial HA configuration, any new device that joins a cluster in a Slave role will display the following message sequence on the console. This will indicate a successful cluster formation.
| FGT300-2 login: slave's configuration is not in sync with master's, sequence:0 slave's configuration is not in sync with master's, sequence:1 slave's configuration is not in sync with master's, sequence:2 slave's configuration is not in sync with master's, sequence:3 slave's configuration is not in sync with master's, sequence:4 slave starts to sync with master logout all admin users slave succeeded to sync with master |
Step 2
On an operational HA cluster, the following commands will allow verification of the HA status:
2.1 : Output example from the Master
FGT300-5 (global) # get system ha status
2.1 : Output example from the Master
FGT300-5 (global) # get system ha status
| Model: 300 Mode: a-p Group: 30 Debug: 0 ses_pickup: disable Master:200 FGT300-5 FG300A3906550380 0 Slave :128 FGT300-2 FG300A2904500186 1 number of vcluster: 1 vcluster 1: work 169.254.0.1 Master:0 FG300A3906550380 Slave :1 FG300A2904500186 |
2.2 : Output example from the Slave
FGT300-2 (global) # get system ha status
| Model: 300 Mode: a-p Group: 30 Debug: 0 ses_pickup: disable Slave :128 FGT300-2 FG300A2904500186 1 Master:200 FGT300-5 FG300A3906550380 0 number of vcluster: 1 vcluster 1: standby 169.254.0.1 Slave :1 FG300A2904500186 Master:0 FG300A3906550380 |
Step 3
On an operational HA cluster, the following commands will allow verification of all devices which have got the same configuration
The following example shows a FortiGate running with multiple VDOMs, and the configuration checksum being similar on both devices for all of the VDOMs.
3.1 : Getting the HA checksums on the Master
FGT300-5 (global) # diagnose sys ha showcsum
The following example shows a FortiGate running with multiple VDOMs, and the configuration checksum being similar on both devices for all of the VDOMs.
3.1 : Getting the HA checksums on the Master
FGT300-5 (global) # diagnose sys ha showcsum
| is_manage_master()=1, is_root_master()=1 debugzone global: e5 45 87 ff 9d 4b d5 dc 37 98 ce bd 53 c0 75 70 root: f3 a7 72 9a f8 8a 42 f3 80 77 89 a3 eb d9 09 2b LAN: a5 f8 cf 4c 98 3b 25 b7 22 3b 17 f6 76 8e b0 3c INTERNET: f9 32 66 b4 d6 6d 2e 0a 42 59 11 c2 4c 85 53 f8 DMZ: 30 96 97 69 ff 07 32 bd 6c 84 0c 5c 4a 13 78 92 all: 4b a1 24 73 2b 3a 86 71 a8 9a 98 22 15 1c 76 65 checksum global: e5 45 87 ff 9d 4b d5 dc 37 98 ce bd 53 c0 75 70 root: f3 a7 72 9a f8 8a 42 f3 80 77 89 a3 eb d9 09 2b LAN: a5 f8 cf 4c 98 3b 25 b7 22 3b 17 f6 76 8e b0 3c INTERNET: f9 32 66 b4 d6 6d 2e 0a 42 59 11 c2 4c 85 53 f8 DMZ: 30 96 97 69 ff 07 32 bd 6c 84 0c 5c 4a 13 78 92 all: 4b a1 24 73 2b 3a 86 71 a8 9a 98 22 15 1c 76 65 |
3.2 : Getting the HA checksums on the Slave (and compare with the Master):
FGT300-2 (global) # diagnose sys ha showcsum
| is_manage_master()=0, is_root_master()=0 debugzone global: e5 45 87 ff 9d 4b d5 dc 37 98 ce bd 53 c0 75 70 root: f3 a7 72 9a f8 8a 42 f3 80 77 89 a3 eb d9 09 2b LAN: a5 f8 cf 4c 98 3b 25 b7 22 3b 17 f6 76 8e b0 3c INTERNET: f9 32 66 b4 d6 6d 2e 0a 42 59 11 c2 4c 85 53 f8 DMZ: 30 96 97 69 ff 07 32 bd 6c 84 0c 5c 4a 13 78 92 all: 4b a1 24 73 2b 3a 86 71 a8 9a 98 22 15 1c 76 65 checksum global: e5 45 87 ff 9d 4b d5 dc 37 98 ce bd 53 c0 75 70 root: f3 a7 72 9a f8 8a 42 f3 80 77 89 a3 eb d9 09 2b LAN: a5 f8 cf 4c 98 3b 25 b7 22 3b 17 f6 76 8e b0 3c INTERNET: f9 32 66 b4 d6 6d 2e 0a 42 59 11 c2 4c 85 53 f8 DMZ: 30 96 97 69 ff 07 32 bd 6c 84 0c 5c 4a 13 78 92 all: 4b a1 24 73 2b 3a 86 71 a8 9a 98 22 15 1c 76 65 |
Any checksum difference between Master and Slave will depict a synchronization problem. Configuration synchronization can be forced with the command:
FGT300-5 (global) # execute ha synchronize config
Should any further problems be experienced, it is recommend to open a ticket with the Fortinet TAC and attach the information that has been gathered.
Scope
FortiOS 3.0
FortiOS 4.0 and above
Related Articles
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2023 Fortinet, Inc. All Rights Reserved.