Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bigkeoni64
Contributor

HA password change

Hello 

 

I have to change an HA password for security reasons and is it best to change from the GUI or the CLI?

Is the only place that needs to be changed is on System > HA > Primary device and change it there - then that should populate it to the Secondary HA2?

 

Thank you. I know it is kind of basic but just making sure there is no gotcha's.

1 Solution
Debbie_FTNT

Hey bigkeoni64,

yes this should work, but you have to make sure there is no typo, as the moment you change the HA password you lose access to the secondary via 'execute HA manage' and will only regain it once the cluster is reformed with the new cluster password - and the cluster can't reform if there is a mismatch/typo somewhere.

 

What you could consider (to substitute for onsite), is to setup individual HA management for each unit - that way each node would have its own IP you can access individually, and you wouldn't lose access to the secondary even if there is a mismatch in the password for some reason.

An example: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/234765/out-of-band-management

Either way you should make the change during a maintenance window, as there would be a short time the cluster can't connect to each other, which might mean both units consider themselves primary and you have a split-brain scenario temporarily, until the cluster is reformed with the new password.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

4 REPLIES 4
warshad
Staff
Staff

Hi bigkeoni64,

 

If you change the password, the cluster will break. Therefore, I would recommend you to do it one by one:

1) Break the HA cluster by removing the HA cable(s).
2) Change the HA password on CLI on both primary and secondary units:

# config sys ha
# set password <password>
# end

3) Reconnects the HA cable(s).

While doing this, network disruptions should not be expected as the primary unit is still processing the traffic. But we would suggest you to schedule a maintenance window to avoid any problem.

 

Waqas Arshad
Fortinet
bigkeoni64

Thank you Waqas, you have confirmed my suspicion. Having someone onsite might not be possible. What if I did things this way:

 

1. Have two CLI sessions going to the primary

2. #execute ha manage 1

3. Change the ha password on the secondary

4. Change the password on the primary CLI session

5. Done

 

Seems as though this would be possible.

Debbie_FTNT

Hey bigkeoni64,

yes this should work, but you have to make sure there is no typo, as the moment you change the HA password you lose access to the secondary via 'execute HA manage' and will only regain it once the cluster is reformed with the new cluster password - and the cluster can't reform if there is a mismatch/typo somewhere.

 

What you could consider (to substitute for onsite), is to setup individual HA management for each unit - that way each node would have its own IP you can access individually, and you wouldn't lose access to the secondary even if there is a mismatch in the password for some reason.

An example: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/234765/out-of-band-management

Either way you should make the change during a maintenance window, as there would be a short time the cluster can't connect to each other, which might mean both units consider themselves primary and you have a split-brain scenario temporarily, until the cluster is reformed with the new password.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
KT5

Hi, 


What is the recommended approach for Fortinet FWs hosted on Azure ?

 

Thanks,

KT

Labels
Top Kudoed Authors