Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
edyrmishi
Staff
Staff

Created on ‎03-27-2025 08:51 AM Edited on ‎04-23-2025 04:07 AM By Moderator

Article Id 385017

Troubleshooting Tip: FortiGate HA Cluster upgrade failure - how to recover without traffic disruption

Description

This article describes how to restore the HA functionality in such a scenario without impacting traffic flow through the primary unit.

When upgrading a FortiGate HA (High Availability) cluster, the secondary unit can fail during the upgrade process, resulting in a broken HA cluster. 
Scope FortiGate.
Solution

To restore HA functionality without impacting live traffic flowing through the primary unit, follow the step-by-step procedure outlined below.

 

Step 1: Isolate the Secondary Member from the Cluster.

 

To prevent any unintended failover or split-brain scenarios, isolate the secondary FortiGate device:

 

  • Disconnect all physical interface ports connected to the secondary unit except HA heartbeat (HB) ports. Label the cables to ensure correct reconnection later.
  • Remove the HA heartbeat (HB) ports to avoid split-brain situations.

 

Step 2: Upgrade the Secondary Unit.

 

Once the secondary unit is isolated, proceed with upgrading its FortiOS version to match that of the primary unit.

 

Step 3: Check HA Override Settings.

 

To ensure seamless reintegration into the cluster, verify the HA override settings on both the primary and secondary units:

 

Run the following command:

 

show system ha

 

If the override setting is disabled, enable it on both members using:

 

config system ha
    set override enable
end

 

If it is already enabled, no further action is required.

 

For additional details, refer to Fortinet's HA Primary Unit Selection Process. 

 

Step 4: Set the Secondary Device Priority Lower than the Primary.

 

To ensure the primary device retains its role, configure the secondary unit with a lower HA priority.

 

For example, if the primary unit has a priority of 128, set the secondary to a lower value (e.g., 50):

 

config system ha
    set priority 50
end

 

Step 5: Validate Changes.

 

Before reconnecting the secondary unit, double-check that:

 

  • The FortiOS version matches that of the primary unit.
  • The HA override setting is correctly configured.
  • The HA priority is lower than that of the primary unit.

 

Step 6: Reconnect the HA Heartbeat (HB) Ports.

 

Reconnect only the HB ports and allow time for the cluster to synchronize. Monitor the HA status to ensure proper communication between the units. Based on the number of changes while the second cluster member was disconnected and the number of databases needed to be installed on the secondary device, it may take anywhere from a few minutes to 15 minutes.

 

If there is an issue with the synchronization, see Technical Tip: Troubleshooting a checksum mismatch in a FortiGate HA cluster for instructions on how to fix it.

 

Step 7: Reconnect All Interface Ports.

 

Once synchronization is confirmed and the secondary unit assumes the correct role, reconnect all physical interface ports removed in Step 1.

 

Related articles:

Technical Tip: Basic HA Setup

Technical Tip: Rebuilding an HA cluster
713
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.