Hi All,
Can anyone share good and easy document for Firmware upgradation step for master-slave firewall cluster.
Would also like to clear a confusion related to priority/failover and reboot of unit.
We have active-passive cluster , Master unit priority is 120 and Slave priority is 119. In coming days we have a plan for Failover testing of these units. So, What is the recommended steps for failover and fallback.
As I know we can do it by reducing the Priority of Master , In our case we can reduce Master priority to 118 so that Slave unit (119) can takes over and become Master , and for fallback Increase the the priority of currently slave (Which was master earlier) from 118 priority to 120.
Will changing the priority of Master ... instantly trigger failover OR devices need reboot to make the changes effective.
What is the CLI command to reboot the Slave unit ..
Rgs
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
To me, newer version of Cookbooks are still not good enough to provide the key info like primary election flow, etc. So still come back to 6.0 Handbook HA section: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/643919/high-availability
I'm not sure if changing priority value for override would trigger an election process immediately because we never used priority/override since it would cause one more outage when the cause of the original outage was resolved (switch back). But I would assume it would trigger it immediately.
However, it would not be a good way to test HA because a priority change wouldn't happen in real fail-over situations. And the switch-back I mentioned wouldn't happen if you change the priorities.
Either the primary unit fails, or an interface/a path to destinations fails for the primary unit in reality. You should simulate those real case scenarios against how you configured HA.
Upgrading the firmware on an HA cluster is as easy as upgrading the firmware on a single unit. You simply upgrade the firmware on the primary unit as you normally would and it takes care of upgrading the secondary unit automatically, failing over between the units automatically as each one is rebooted in turn so you have virtually no downtime:
This is the process we've always followed with our customers' A/P HA clusters and we've found it to work well. The only thing different really vs. a single unit firmware upgrade is that it does take a little longer because both units are upgraded and rebooted in sequence, and if you're following a multi-step upgrade path you do have to wait for the cluster to re-form before doing the next firmware upgrade.
Tip: run "diag debug config-error-log read" after every firmware upgrade as a safety check to see if any part of your configuration has been dropped by the new firmware.
Russ
NSE7
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1669 | |
1082 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.