Description

This article describes the behaviour behind the out-of-sync issue due to 'system.central-management' in an HA cluster.

Scope

FortiGate.

Solution

Devices in an HA cluster may become out of sync due to various factors, such as system upgrades, reboots, failovers, or delays in configuration synchronization from the primary to the secondary unit.

One of the cases where the cluster gets out of sync is due to the 'system.central-management' object.

PrimaryFirewall # diagnose system ha checksum show global
system.central-management: 307983e23b44f79683890573541f5a82

SecondaryFirewall # diagnose system ha checksum show global
system.central-management: 764d0f8b00ec68405241f910d345a916

The following command may be executed on both firewalls to try and recalculate the checksums:

diagnose system ha checksum recalculate

In this scenario, the primary device has the central-management type set to 'none' as shown in the image below.


On the secondary device, the central-management type is set to 'FortiManager', with the serial number and FortiManager IP address defined under the 'config system central-management' section.


An error may occur when attempting to change the central management type from 'FortiManager' to 'none' as shown in the image below.


A FortiManager serial number will be necessary to proceed further. Upon obtaining the serial number, run the following command to unregister the device.

execute central-mgmt unregister-device <FortiManager-serial number>

Once unregistered, the central-management type can be set to 'none' using the commands below:

config system central-management
    set type none
end

Following the changes, the central management type was set to 'none' on both the devices and the HA cluster synchronized successfully.