Hello all, I just figured this might benefit someone. I just tracked the alerts sent out by two units (only units) in an HA when I did an upgrade. Current on unused partition: MR2 Patch2 STEP 0: Backup the configuration! STEP 1: upgrade unused partition to MR2 Patch 4 (FGT_60C-v400-build0313-FORTINET.out) Order of operation (from HA guide) 1) The administrator uploads a new firmware image from the web-based manager or CLI. (email notification occurs) ::TIME 0:: Message meets Alert condition date=2011-07-15 time=13:20:50 devname=NY_HA_1 device_id=FGT60C3GXXXXXXX1 log_id=0104032139 type=event subtype=admin pri=critical vd=root user=" admin" ui=GUI(192.168.1.112) action=restore-image status=success msg=" User admin restored the image from GUI(192.168.1.112) (v4.0.0,build5400 -> v4.0.0,build0313)" Message meets Alert condition date=2011-07-15 time=13:20:49 devname=NY_HA_1 device_id=FGT60C3GXXXXXXX1 log_id=0104032139 type=event subtype=admin pri=critical vd=root user=" admin" ui=GUI(192.168.1.112) action=loaded-image status=success msg=" User admin loaded an image from GUI(192.168.1.112). The new image does have a valid RSA signature." 2) The cluster upgrades the firmware running on all of the subordinate units. (email notifications) ::TIME +3:: Message meets Alert condition The following critical firewall event was detected: Critical Event. date=2011-07-15 time=13:22:46 devname=NY_HA_1 device_id=FGT60C3GXXXXXXX1 log_id=0105037901 type=event subtype=ha pri=critical vd=" root" msg=" Heartbeat device(interface) down" ha_role=master hbdn_reason=linkfail devintfname=wan2 Message meets Alert condition date=2011-07-15 time=13:20:58 devname=NY_HA_2 device_id=FGT60C3GXXXXXXX2 log_id=0104032139 type=event subtype=admin pri=critical vd=root user=" admin" ui=ha_daemon action=restore-image msg=" User admin restored the image from ha_daemon (v4.0.0,build5367 -> v4.0.0,build0313)" ::TIME +6:: Message meets Alert condition date=2011-07-15 time=13:24:59 devname=NY_HA_1 device_id=FGT60C3GXXXXXXX1 log_id=0104032138 type=event subtype=admin pri=critical vd=root user=" admin" ui=GUI(192.168.1.112) action=reboot msg=" User admin rebooted the device from GUI(192.168.1.112). The reason is ' upgrade firmware' " ::TIME +9:: Message meets Alert condition The following critical firewall event was detected: Critical Event. date=2011-07-15 time=13:26:47 devname=NY_HA_2 device_id=FGT60C3GXXXXXXX2 log_id=0105037901 type=event subtype=ha pri=critical vd=" root" msg=" Heartbeat device(interface) down" ha_role=master hbdn_reason=linkfail devintfname=wan2 (SNMP traps) ::TIME +9:: fgTrapHaHBFail: sent from NY_HA_1 fgTrapHaMemberDown: sent from NY_HA_1 3) Once the subordinate units have been upgraded, a new primary unit is selected. This primary unit will be running the new upgraded firmware. ::TIME +11:: (SNMP traps) fgTrapHaMemberUp: sent from NY_HA_1 fgTrapHaSwitch: sent from NY_HA_2 4) The cluster now upgrades the firmware of the former primary unit. If the age of the new primary unit is more than 300 seconds (5 minutes) greater than the age of all other cluster units, the new primary unit continues to operate as the primary unit. This is the intended behavior but does not usually occur because the age difference of the cluster units during a firmware upgrade is usually less than the cluster age difference margin of 300 seconds. So instead, the cluster negotiates to select a primary unit as described in “Primary unit selection” on page 38. For information about the cluster age difference margin, see “Cluster age difference margin (grace period)” on page 40). ::TIME +14:: (SNMP traps) fgTrapHaHBFail: sent from NY_HA_2 fgTrapHaMemberDown: sent from NY_HA_2 fgTrapHaHBFail: sent from NY_HA_2 fgTrapHaMemberUp: sent from NY_HA_1 fgTrapHaSwitch: sent from NY_HA_1 STEP 2: Upgrade unused partition to MR3 Patch 1 (FGT_60C-v400-build0458-FORTINET.out) Same as above.