In a HA environment, how do I select the secondary firewall and make changes to it (in the GUI)?
I dont see any options to control the secondary firewall in the GUI.
If the first firewall is active and the second firewall is passive, how to switch it so that first is passive and second is active? In palo alto you can do a switchover. (weather in gui or cli)
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Sure.
Priority setting is one of the four criteria used in the HA selection process when establishing the cluster. It is of course dynamic. But a link failure on a monitored link always triggers a failover. It's not a negotiation but a pre-determined action in order to preserve the traffic flow and overall operation. Kind of a last resort reaction.
Hello,
Hope the below document link helps:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface/ta-p/1901...
Regards,
Shilpa C.P
That helps a bit, but how do I switch the firewall from active to passive and vice versa?
So that I can do upgrading?
In fortigate the HA upgrade is performed from the Active node only. You upload the package to Active node the system will sync the package with passive node and upgrade it first. Once the passive node is upgraded the system will do a cluster failover to upgraded node and upgrade the old active node.
Please make sure uninterruptible-upgrade is enabled
ref: https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/247944/upgrading-fortigates-in-an-ha-cl...
If you don't have dedicated ha mgmt enabled, you can access the passive node via CLI only from the active node using exe ha manage.
Ref: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-access-secondary-unit-of-HA-cluster...
You can force a failover manually, by running this command in CLI:
exec ha failover set 1
See this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-force-HA-failover/ta-p/196696
I personally would prefer to create a condition which is monitored for HA failover, like link monitoring. Say if WAN1 is monitored, just pull the cable from WAN1 on the primary unit. The cluster has no other choice but to fail over then.
If not already in place, you can enable link monitoring in the HA setup (GUI or CLI) without interrupting operation.
Hi,
Will this command still work if say I set the priority of firewall A to 200 but I still purposely fail over so to make it change from primary to secondary?
Sure.
Priority setting is one of the four criteria used in the HA selection process when establishing the cluster. It is of course dynamic. But a link failure on a monitored link always triggers a failover. It's not a negotiation but a pre-determined action in order to preserve the traffic flow and overall operation. Kind of a last resort reaction.
Supplement to what Ede said:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HA-Primary-unit-selection-proces...
The 6.0 handbook the links in the KB are pointing to have a nice primary election flowchart.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1529 | |
1027 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.