Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
bboudjema
Staff
Staff

Created on ‎02-14-2025 02:30 AM Edited on ‎03-07-2025 12:17 AM By Moderator

Article Id 376461

Technical Tip: How to Upgrade and Troubleshoot a FortiManager/FortiAnalyzer HA Cluster

Description

 

This article provides a step-by-step guide on upgrading the firmware of a FortiManager or FortiAnalyzer cluster while ensuring system stability, security, and minimal disruptions. Additionally, it includes troubleshooting steps in case issues arise during the upgrade.

 
Scope

 

FortiManager, FortiAnalyzer.

 

Solution

 

  • Applies to FortiManager and FortiAnalyzer High Availability (HA) clusters.
  • Relevant for administrators responsible for system maintenance and firmware upgrades.
  • Covers both GUI-based and CLI-based upgrade procedures.

 

Prerequisites.

 

  • Ensure to get administrator access to the FortiManager/FortiAnalyzer.
  • Review the firmware release notes for new features, fixes, and known issues.
  • Back up all configurations and data before proceeding.
  • Plan a maintenance window, as services may be temporarily disrupted during the upgrade.
  • If FortiAnalyzer Features are enabled on FortiManager, they will be automatically deactivated during an upgrade to FortiManager v7.0.0 or later.

 

Steps to Upgrade the HA Cluster.

 

  1. Pre-Upgrade Preparation.
  • Backup Configuration and Data: Before performing the upgrade, back up all configurations and data to avoid potential loss.
  • Check Compatibility and Release Notes: Ensure the new firmware version is compatible with the current setup and review the firmware release notes for changes and potential issues.
  • Schedule the Upgrade: Since the upgrade process does not cause a prolonged disconnection, it can be performed outside a scheduled maintenance window if necessary. Disable FortiAnalyzer Features (if applicable). If HA is enabled on FortiManager, FortiAnalyzer Features must be disabled before proceeding.

 

  1. Cluster Upgrade Procedure.
  • Upgrade the Cluster via GUI:
    • Log into the primary unit using an admin account.
    • Navigate to System Settings -> Information -> Upload Firmware Image or use FortiGuard Upgrade Service.
    • Start the upgrade process.
    • The upgrade will automatically sync to the secondary devices in the cluster.
    • Monitor the console log output for errors or warnings. (example shown in Troubleshooting section).

 

  • Upgrade the Cluster via CLI via FTP server: Use the following command to upgrade firmware stored on an FTP or TFTP server using the following CLI command:


execute restore image {ftp | tftp} <file path to server> <IP of server> <username on server> <password>

 

  1. Post-Upgrade Verification:
  • Check Cluster Status: Verify that all units are synchronized and running the new firmware version.
  • In the GUI, navigate to System Settings -> HA.
  • In the CLI, enter: 

 

diagnose ha stats

 

Cluster-ID : 1
Debug : off
File-Quota : 4096
HA Health Status : OK
HA Role : Primary
FMG-HA Status : Synchronized
State Model : FortiManager-VM64
HB-Interval : 10
HB-Lost-Threshold : 30
HA Primary Uptime : Fri Feb 14 06:33:35 2025
HA Primary state change timestamp :
Primary : FMG-VM64, FMG-VM0000000013,
System Usage stats :
FMG-VM0000000013(updated 0 seconds ago): average-cpu-user/nice/system/idle=0.05%/0.00%/0.00%/99.95%, memory=14.56

 

  • Other useful Troubleshooting commands that can be done on both Primary and Secondary units  of FortiManager or FortiAnalyzer in case an issue is observed in the HA-Status:


diagnose debug reset
diagnose debug application ha 255
diagnose debug enable

  • A system reboot may be required to apply the change.

 

  1. Monitoring and Troubleshooting.
  • Checking Logs in Real-Time.

 

During the upgrade, it is recommended to use the console to monitor log output in real time.

 

Example Log Output with Warnings and Errors:

 

bboudjema_0-1739465767126.png

 

If any errors arise, investigate and resolve them before continuing with normal operations.

 

  • Checking FortiManager Event Logs:
    • After the upgrade, check the FortiManager Event Logs for recorded messages under System settings -> Event logs.
    • If errors are found, apply necessary fixes before putting the system into full production.

 

  1. Additional Considerations.
  • SQL Database Rebuild (KB article link in the 'Related documents' section):
    • Upgrading may trigger an automatic SQL database rebuild.
    • During this process, new logs will be stored and visible, but older logs may be temporarily unavailable.
    • The rebuild duration depends on database size.

 

Related documents:

Upgrade Guide FortiManager 7.6.2 (p22-23)

Enable or disable FortiAnalyzer features

Technical Tip: FortiAnalyzer SQL database delete and rebuild

272
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.