This article illustrates important steps to take before performing a FortiManager HA failover. Note that this FortiAnalyzer feature is not available when you are using FortiManager in HA mode.

1. Take a backup of the system configuration on both the Primary and Secondary Devices.

2. Alternatively, back to the system settings in the CLI:

    

   execute backup all-settings {ftp | scp | sftp} <ip:port> <string> <username> <passwd>

    

3. Check on all members of the cluster to ensure the system configuration of ADOMS, devices, policies, templates, and other items are the same among each. It is recommended to take screenshots.

4. Check Task Monitor to ensure there are no ongoing Running task on both Primary and Secondary Devices under FortiManager -> System Settings -> Task Monitor

5. Ensure CPU & Memory usage on both Primary and Secondary Devices are healthy under FortiManager -> Dashboard

CLI : 

get system performance

execute top

6. Check the 'Cluster Status' and 'Member Status' to ensure it is up and that no module data is pending a sync to ALL cluster members.

    

   

    

   

    

7. Alternatively, run a debug to see if keepalive messages are exchanged, which indicates successful cluster negotiation and synchronization.

    

   diag debug application ha 255

   diag debug enable

    

   2023-02-18 01:58:04 [incoming FMG-VMXXXXX]: keepalive response

   2023-02-18 01:58:04 [outgoing FMG-VMXXXXX]: keepalive

   2023-02-18 01:58:04 [incoming FMG-VMXXXXX]: keepalive response

   2023-02-18 01:58:14 [outgoing FMG-VMXXXXX]: keepalive

    

    

8. Check the connection on the managed FortiGate(s). It should contain the serial numbers of all FortiManager cluster members.

get system central-management

mode                : normal

type                : fortimanager

serial-number       : "FMG-VMYYYYY" "FMG-VMXXXXX"

fmg                 : "10.2.x.x"

Note:

If FortiManager is on a different subnet, best to have both HA IPs in the central-management configuration.

get system central-management

mode                : normal

type                : fortimanager

serial-number       : "FMG-VMYYYYY" "FMG-VMXXXXX"

fmg                 : "10.2.x.x" "10.3.x.x" 

diag fdsm central-mgmt-status

Connection status: Up

Registration status: Registered

9. After all verification is complete, perform the failover, by changing the operation mode under System Settings -> HA GUI on the cluster members, starting with the primary to the secondary and then the secondary to the primary.

Alternatively, this can be done in the CLI:

FMG-PRI # config system ha

(ha)# set mode secondary

(ha)# end

FMG-SEC # config system ha

(ha)# set mode primary

(ha)# end

10. After the failover has occurred, perform steps 3 - 7 again to verify if the failover was performed successfully.