Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Nytro
New Contributor

Adding secondary unit for HA while primary is in production

Hi All,

 

I'm having trouble nailing down this question. I manage a global network in which each site has a pair of 500E or 300Es in HA mode. A site with 300Es was shut down. One of those FWs went to Guatemala, a new site, and the other FW got sent to a datacenter for a more desperate need. So the FW in GUA was reconfigured to be standalone. Now- after a few months in production in standalone mode, we had another site go dark so that freed up another 300E. This was sent to GUA to be the HA secondary. My pressing question is- Does the secondary FW NEED TO BE FACTORY RESET prior to connecting to the primary in HA? I will have the priority on the Primary set for 128 and the new secondary set for 50. Will the sync process completely overwrite the old config from the shutdown site?

FYI- I am well versed in HA and those details. I have just never come across this situation of adding a previously configured FW as an HA pair. (A-P). The Primary is in production which is why I am very concerned! :) 

 

Thanks in advance for thoughts and suggestions!

Cheers!

Noel

Cheers! Noel
2 Solutions
Toshi_Esumi
Esteemed Contributor III

Theoretically (or philosophically) you shouldn't have to, but practically that's not the case in most of situations I encountered. Besides, why do you hesitate factory reset the 300E especially when you intend to make it as a dedicated secondary? Unfortunately we often need to factory reset secondaries in our clusters (1500Ds) we upgrade the clusters from an old major version to a new one, which we had to for last two upgrades this month. Because after upgrading them, they stopped making effort to sync up, which prevented us from going up one more version in the second step. So we had to factory reset the secondary to let it sync from fresh.

 

Or, if you want to speed up the process, you can download the config from the primary, and modify three things 1) ha config (priority), 2) dedicated management interface, and 3) host name. Then upload it to the secondary off-line. And then put it in the network in the position. 

View solution in original post

emnoc
Esteemed Contributor III

You actually only need the HA config and to modify the priority on the new to be standby unit. I would also keep all interfaces on the standby  until you have the 2nd unit up and config-sync

 

A factory reset and fresh up the fortiOS to ensure it's the same revision as the primary should be done also.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
2 REPLIES 2
Toshi_Esumi
Esteemed Contributor III

Theoretically (or philosophically) you shouldn't have to, but practically that's not the case in most of situations I encountered. Besides, why do you hesitate factory reset the 300E especially when you intend to make it as a dedicated secondary? Unfortunately we often need to factory reset secondaries in our clusters (1500Ds) we upgrade the clusters from an old major version to a new one, which we had to for last two upgrades this month. Because after upgrading them, they stopped making effort to sync up, which prevented us from going up one more version in the second step. So we had to factory reset the secondary to let it sync from fresh.

 

Or, if you want to speed up the process, you can download the config from the primary, and modify three things 1) ha config (priority), 2) dedicated management interface, and 3) host name. Then upload it to the secondary off-line. And then put it in the network in the position. 

emnoc
Esteemed Contributor III

You actually only need the HA config and to modify the priority on the new to be standby unit. I would also keep all interfaces on the standby  until you have the 2nd unit up and config-sync

 

A factory reset and fresh up the fortiOS to ensure it's the same revision as the primary should be done also.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors