Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
lingky88
Staff
Staff

Created on ‎02-20-2023 06:48 AM

Article Id 246504

Technical Tip: Things to check before FortiManager HA failover

Description

This article illustrates important steps to take prior to performing a FortiManager HA failover. Note that this FortiAnalyzer feature is not available when you are using FortiManager in HA mode.
Scope FortiManager.
Solution

1) Take a backup of the system configuration on both the Primary and Secondary Devices.

 

lingky88_0-1676903272622.png

 

2) Alternatively, backup the system settings in the CLI:

 

# execute backup all-settings {ftp | scp | sftp} <ip:port> <string> <username> <passwd>

 

3) Check on all members of the cluster to ensure the system configuration of ADOMS, devices, policies, templates and other items are the same among each. It is recommended to take screenshots.

 

4) Check the status of the cluster to ensure it is up and that there is no module data pending a sync to ALL cluster members.

 

lingky88_1-1676903594207.png

 

lingky88_2-1676903606229.png

 

5) Alternatively, run a debug to see if keepalive messages are exchanged, which indicates successful cluster negotiation and synchronization.

 

# diag debug application ha 255

# diag debug enable

 

2023-02-18 01:58:04 [incoming FMG-VMXXXXX]: keepalive response

2023-02-18 01:58:04 [outgoing FMG-VMXXXXX]: keepalive

2023-02-18 01:58:04 [incoming FMG-VMXXXXX]: keepalive response

2023-02-18 01:58:14 [outgoing FMG-VMXXXXX]: keepalive

 

6) Check the connection on the managed FortiGate(s). It should contain the serial numbers of all FMG cluster members.

 

# get system central-management

mode                : normal

type                : fortimanager

serial-number       : "FMG-VMYYYYY" "FMG-VMXXXXX"

fmg                 : "10.252.3.11"

 

# diag fdsm central-mgmt-status

Connection status: Up

Registration status: Registered

 

7) After all verification is complete done, perform the failover, by changing the operation mode under System Settings -> HA GUI on the cluster members, starting with the primary to the secondary and then the secondary to the primary. Alternatively, this can be done in the CLI:

 

FMG-PRI # config system ha

(ha)# set mode secondary

(ha)# end

 

FMG-SEC # config system ha

(ha)# set mode primary

(ha)# end

 

8) Lastly, after the failover has occurred, perform steps 3, 4, 5 and 6 again to verify if the failover was performed successfully.

 
735
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.