Fortigate FW HA Upgrade Questions

BusinessUser · ‎07-07-2023

In a HA environment, how do I select the secondary firewall and make changes to it (in the GUI)?

I dont see any options to control the secondary firewall in the GUI.

If the first firewall is active and the second firewall is passive, how to switch it so that first is passive and second is active? In palo alto you can do a switchover. (weather in gui or cli)

ede_pfau · ‎07-10-2023

Sure.

Priority setting is one of the four criteria used in the HA selection process when establishing the cluster. It is of course dynamic. But a link failure on a monitored link always triggers a failover. It's not a negotiation but a pre-determined action in order to preserve the traffic flow and overall operation. Kind of a last resort reaction.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Shilpa1 · ‎07-07-2023

Hello,

Hope the below document link helps:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface/ta-p/1901...

Regards,
Shilpa C.P

BusinessUser · ‎07-09-2023

That helps a bit, but how do I switch the firewall from active to passive and vice versa?

So that I can do upgrading?

srajeswaran · ‎07-09-2023

In fortigate the HA upgrade is performed from the Active node only. You upload the package to Active node the system will sync the package with passive node and upgrade it first. Once the passive node is upgraded the system will do a cluster failover to upgraded node and upgrade the old active node.

Please make sure uninterruptible-upgrade is enabled

ref: https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/247944/upgrading-fortigates-in-an-ha-cl...

If you don't have dedicated ha mgmt enabled, you can access the passive node via CLI only from the active node using exe ha manage.
Ref: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-access-secondary-unit-of-HA-cluster...

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

ede_pfau · ‎07-09-2023

You can force a failover manually, by running this command in CLI:

exec ha failover set 1

See this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-force-HA-failover/ta-p/196696

I personally would prefer to create a condition which is monitored for HA failover, like link monitoring. Say if WAN1 is monitored, just pull the cable from WAN1 on the primary unit. The cluster has no other choice but to fail over then.

If not already in place, you can enable link monitoring in the HA setup (GUI or CLI) without interrupting operation.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

BusinessUser · ‎07-09-2023

Hi,

Will this command still work if say I set the priority of firewall A to 200 but I still purposely fail over so to make it change from primary to secondary?

ede_pfau · ‎07-10-2023

Sure.

Priority setting is one of the four criteria used in the HA selection process when establishing the cluster. It is of course dynamic. But a link failure on a monitored link always triggers a failover. It's not a negotiation but a pre-determined action in order to preserve the traffic flow and overall operation. Kind of a last resort reaction.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Toshi_Esumi · ‎07-10-2023

Supplement to what Ede said:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HA-Primary-unit-selection-proces...
The 6.0 handbook the links in the KB are pointing to have a nice primary election flowchart.

Toshi