yup. doing a set status disable on the port of the subordinate.
So the primary device will synchronise its port status from the Subordinate unit even if the Primary have higher device priority? I want to isolate the slave unit, by just leaving the management and console ports enabled. but no one is on-site to remove the cables.
First off: don't set the port admin-down! This will set this port down on both HA units, 100% guaranteed!
This is how HA works: all settings are synchronized in near realtime, both from master to slave as well as from slave to master.
If you want to isolate the slave unit then set the HA mode on the slave to 'disable'. You will have to set at least one valid IP address to be further able to manage the unit. Please check this in the HA chapter of the Handbook.
With the slave unit running independently, you can switch off ports as you like.
I can imagine that having identical VIPs on both unit may bring some problems along - YMMV.
But if I disable the HA mode on the salve unit it will become a standalone firewall with the same IP address and routing as the primary firewall and will cause a split brain right? correct me if I,m wrong Please. Regarding the HA's behaviour where the Primary Unit synchronising the port admin status from the Slave unit with a lower device priority, do you have the link of the documentation about it?
right, as I've posted the situation could become difficult quickly. Usually, you would not change the HA mode if you only had remote control.
I cannot give you a direct reference to the Handbook where this is described (but with more effort maybe you can). I know it from my experience with FortiOS from the last 14 years.
The HA device priority has nothing to do with how the config is synchronized. HA priority is only relevant for cluster formation, more precisely it influences the way how a HA master is chosen among all HA cluster members. After that decision is made, the master config overwrites the config on all slave units (except for very few HA parameters and the hostname). Synchronization on the other hand is keeping the common configuration identical on all units of a HA cluster, disregarding the direction (master to slave or vice versa).
It is just weird that the supposedly passive unit is pushing its interface status or any configuration to the active device, because by theory you should be able to change anything on the slave unit without affecting the primary (and that is also the case when a slave is being restarted). But I will keep that in mind on future troubleshooting.
SLAVE ( the right wording is "passive" ) and it configuration are sync to the master. Master in a A-P means only control plane and data-plane is carried by the master. It does does not mean management or configuration is only done at the master.
FWIW: Even the data-plane in a A-P passive unit can carried data if you have multi-vdom and vcluster2 enabled.
Heed Ede words and thread very carefully in regards to formation of A-P cluster.
Do you know a documentation about "only control plane and data-plane is carried by the master" and the passive device configuration change can affect the master please. I am also digging around but to no avail.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.