Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yeowkm99
Contributor

Break firewall HA cluster

Currently i have a fortigate 401-E HA cluster. Can i break the cluster into 2 as i need to do some relocation of the server while my Internet circuit is still at the old server room ? Meaning that i have one unit at existing location, the 2nd unit at another room ?

When i break the cluster, does it mean the configuration will be different 

6 REPLIES 6
kcheng
Staff
Staff

Hi @yeowkm99 ,

 

Good day to you. When you break the cluster, the configuration of both units will not be different. If you deployed FortiGate HA in A-P mode, you will need to be extremely careful when you break the cluster as the configuration on both units are identical. Take for example, if LAN is configured with IP 192.168.0.99/24, the IP resides on the primary unit. The IP would be activated on the secondary unit only when the secondary unit takes up the primary role.

 

Hence, when you break the cluster, there will be 2 FortiGate with identical IP and it may conflict your network. You may want to ensure that you disconnects network cables on the secondary FortiGate (remain only the Heartbeat interface) before converting your cluster to standalone. Lastly, before you move the device into another room, modify the configuration file and change the IP if both the FortiGate resides within the same network to avoid IP conflict.

 

Hope that the above information clarifies.

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
yeowkm99

am I correct to say that i need to assign another LAN IP for the 2nd unit to prevent conflict ?

kcheng

Hi @yeowkm99 

 

It depends on your configuration. If you have VLAN and other network IP setting, you will probably need to change that as well. When you isolate the secondary device from the cluster from GUI, it will prompt you for the IP to assign on the secondary device. This should be a new IP. Generally all other IP settings will be removed. But policy and other settings would maintain.

 

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
nithincs
Staff
Staff

hi,

You can do as below to remove the fortigate from cluster and move the device to different network.

1. Disconnect the network interfaces and ha interface of the backup fortigate.
2. Connect the device with console and run command "exe factoryreset" with this configuration will get wiped out from the fortigate.
3. You will be able to access the device with "192.168.1.99" ip and can reconfigure the device as per your another location networks and security requeirments.

 

yeowkm99

to minimize downtime, which unit should i remove first to move to the new server room ?

the primary or secondary unit ?

the main internet link is now on the primary unit

Muhammad_Haiqal

Hi yeowkm99,

HA basically have identical configuration on Unit1 and Unit2.
If you want to break it, you may use below suggestion:

1. Shutdown unit2.

2. Move the unit2 to new location.

3. Power on. But do not connect any cable to the network yet.

4. Connect your PC directly to this unit2.

5. Configured necessary things. If you need to reset, the do the factory reset.

6. Once completed, put all the cables.

 

That is the general idea. Hope that helpful. 

haiqal
Labels
Top Kudoed Authors