Does anyone have experience with upgrade of two Fortigate in HA Active/Passive mode with VDOM partitioning when there are two or more vclusters and despite Active/Passive mode on hardware firewalls, some VDOMs are Active on one firewall and some are Active on another. So, in fact, it`s working as Active-Active. Such topology is called "virtual clustering with two VDOMs and VDOM partitioning"
I`m thinking on procedure with uninterruptible-upgrade but my concern is how Fortigate cluster will behave itself in this case.
For Active/Passive deployment uninterruptible-upgrade first occurs on subordinate unit, however, i my case it will be active for some VDOMs. Will cluster correctly perform failover of all VDOMs to the primary node prior to start upgrade the subordinate node and vice versa when subordinate unit is upgraded and started?
I don't have experience with that, but I'll be curious to know what you find out. Here's how I would expect it to work:
The subordinate FG on the root VDOM will be upgraded first, causing any VDOM's that were primary on it to fail over to the root VDOM's primary FG. (You could probably force them to fail over via CLI beforehand if you were concerned about when that would happen.) Once the root VDOM's subordinate FG finishes upgrading, the root VDOM's primary FG will upgrade and all VDOMs will fail over to the root VDOM's subordinate FG.
As long as you have validated your HA configuration, there should just be two tiny outages as the HA fails back and forth. This is basically the same as it would work with one VDOM. I'm curious if you find that it works differently.
This is how I run a pair of fortigates and I've upgraded them a few times in the past several years. As I recall, the secondary unit will migrate its active VDOMs over to your primary unit before upgrading and then all of the VDOMs will get migrated to your secondary unit while the primary is upgrading. Once everything is upgraded the VDOMs that typically run on your primary unit will migrate back to it. Just make sure you back up your configuration files from each unit in case things go sideways.
"When there is VDOM cluster configured in the HA cluster. It will also do the uninterrupted upgrade. The Vcluster Master will change to the Primary unit as soon as you start the upgrade.
For example, two VCluster configured with different master ownership. VDOM1 master Primary and VDOM2 master Secondary(Slave).
The Primary device will be Master for Vcluster1 & Vcluster2 during the upgrade process and once Secondary successfully complete upgrade. Then that will call upgrade and boot of Primary unit and HA failover will happen.
Then HA master ownership will select based on Uptime and Priority"
OK,will see is it true or not. Schedule for upgrade isn`t defined yet.
Will keep you posted
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.