Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
baylonjmj
New Contributor

Fortigate A-P Scenario Disable the Subordinate port

Hi All,

 

What will happen if a port on a passivve unit is disabled? Will it be synchronized to the Primary?

 

Thanks

8 REPLIES 8
emnoc
Esteemed Contributor III

If you mean disable as in "down or admin" down, than I would assume the  master will carry the same. Now why do you want to disable  it?

 

Ken

PCNSE 

NSE 

StrongSwan  

baylonjmj

Hi Ken,

 

Thanks

 

yup. doing a set status disable on the port of the subordinate. 

 

So the primary device will synchronise its port status from the Subordinate unit even if the Primary have higher device priority? I want to isolate the slave unit, by just leaving the management and console ports enabled. but no one is on-site to remove the cables. 

 

-Lehac 

ede_pfau
Esteemed Contributor III

First off: don't set the port admin-down! This will set this port down on both HA units, 100% guaranteed!

 

This is how HA works: all settings are synchronized in near realtime, both from master to slave as well as from slave to master.

If you want to isolate the slave unit then set the HA mode on the slave to 'disable'. You will have to set at least one valid IP address to be further able to manage the unit. Please check this in the HA chapter of the Handbook.

With the slave unit running independently, you can switch off ports as you like.

I can imagine that having identical VIPs on both unit may bring some problems along - YMMV.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
baylonjmj

Thanks Ede,

 

But if I disable the HA mode on the salve unit it will become a standalone firewall with the same IP address and routing as the primary firewall and will cause a split brain right? correct me if I,m wrong Please. Regarding the HA's behaviour where the Primary Unit synchronising the port admin status from the Slave unit with a lower device priority, do you have the link of the documentation about it?

 

Thanks

Lehac

ede_pfau
Esteemed Contributor III

ad 1

right, as I've posted the situation could become difficult quickly. Usually, you would not change the HA mode if you only had remote control.

ad 2

I cannot give you a direct reference to the Handbook where this is described (but with more effort maybe you can). I know it from my experience with FortiOS from the last 14 years.

ad 'priority'

The HA device priority has nothing to do with how the config is synchronized. HA priority is only relevant for cluster formation, more precisely it influences the way how a HA master is chosen among all HA cluster members. After that decision is made, the master config overwrites the config on all slave units (except for very few HA parameters and the hostname). Synchronization on the other hand is keeping the common configuration identical on all units of a HA cluster, disregarding the direction (master to slave or vice versa).


Ede

"Kernel panic: Aiee, killing interrupt handler!"
baylonjmj

Thanks Again Ede,

 

It is just weird that the supposedly passive unit is pushing its interface status or any configuration to the active device, because by theory you should be able to change anything on the slave unit without affecting the primary (and that is also the case when a slave is being restarted). But I will keep that in mind on future troubleshooting. 

 

Thanks a lot for clarifying it.  ,\,,/

 

- Lehac

emnoc
Esteemed Contributor III

SLAVE ( the right wording is "passive"  )  and it configuration are sync to the master. Master in  a A-P means only  control plane and data-plane is carried by the master. It does  does not mean management or  configuration is only done at the master.

 

FWIW:  Even the  data-plane in a A-P passive unit can carried data if you have multi-vdom and  vcluster2 enabled.

 

Heed Ede words and thread very carefully  in regards to formation of A-P cluster.

 

PCNSE 

NSE 

StrongSwan  

baylonjmj

Thanks Emnoc,

 

Do you know a documentation about "only  control plane and data-plane is carried by the master" and the passive device configuration change can affect the master please. I am also digging around but to no avail. 

 

Thanks