Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dlai
Staff
Staff

Enquiry about missing analysis and delay during FortiSandbox firmware upgrade

Hi all,

 

Greetings everyone!

 

I'd like to verify FortiSandbox behavior which is integrated with FortiMail.

 

Scenario : FortiMail is integrated with FSA1(Primary) – FSA2(Slave) – FSA3(Worker).

 

When upgrading FSA firmware, devices with operations in the queue cannot send samples to VMs to scan and are expected to wait for the upgrade to complete. As a consequences, FortiMail has a scan timeout and delivers or quarantines mail. 

 

But the customer wants the service to be uninterrupted without missing analysis and delay during firmware upgrade.

Q1. When the master device distributes jobs, is it possible to not distribute jobs to specific HA node?


Q2. Is there any other way to prevent missing analysis and mail delays when upgrading device with analysis queues?

Q3. I understand that when upgrading firmware, sandboxes need to upload a rating engine.

 

Which of the following is the most preferred upgrade best practice?


1. Every time (3.1.3 > 3.1.4 > 3.2.0 +Uploading a rating engine> 3.2.3 + Uploading a rating engine> 4.0.2 b0074+Uploading a rating engine > 4.0.2 b4125 +Uploading a rating engine)


2. Once (3.1.3 > 3.1.4 > 3.2.0 > 3.2.3 > 4.0.2 b0074 > 4.0.2 b4125 + Uploading a rating engine)

 

Any input or insights would be greatly appreciated!

Best Regards,
David Lai
3 REPLIES 3
Anonymous
Not applicable

Hello dlai, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

  Fortinet Community Team 

dlai
Staff
Staff

Thanks RJ Esz

Best Regards,
David Lai
kagritelis
Staff
Staff

Hello David,

Regarding your Questions,
Q1.: No this is not possible distribute jobs to specific HA node. Only if you remove the Node from the Cluster and re-add it when needed.
Q2.: Upgrade the Worker First so the Secondary will Work in the Meantime, then upgrade the Secondary so the Worker will work during the upgrade & last upgrade the Primary so Secondary will become Primary & handle the traffic.
Q3.: Preferably follow the upgrade path & when you reach the preferred version then finalize it by uploading the Rating Engine.

If you have any further questions please let me know.

Best Regards,
Konstantinos Agritelis