Hello
I have to change an HA password for security reasons and is it best to change from the GUI or the CLI?
Is the only place that needs to be changed is on System > HA > Primary device and change it there - then that should populate it to the Secondary HA2?
Thank you. I know it is kind of basic but just making sure there is no gotcha's.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey bigkeoni64,
yes this should work, but you have to make sure there is no typo, as the moment you change the HA password you lose access to the secondary via 'execute HA manage' and will only regain it once the cluster is reformed with the new cluster password - and the cluster can't reform if there is a mismatch/typo somewhere.
What you could consider (to substitute for onsite), is to setup individual HA management for each unit - that way each node would have its own IP you can access individually, and you wouldn't lose access to the secondary even if there is a mismatch in the password for some reason.
An example: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/234765/out-of-band-management
Either way you should make the change during a maintenance window, as there would be a short time the cluster can't connect to each other, which might mean both units consider themselves primary and you have a split-brain scenario temporarily, until the cluster is reformed with the new password.
Hi bigkeoni64,
If you change the password, the cluster will break. Therefore, I would recommend you to do it one by one:
1) Break the HA cluster by removing the HA cable(s).
2) Change the HA password on CLI on both primary and secondary units:
# config sys ha
# set password <password>
# end
3) Reconnects the HA cable(s).
While doing this, network disruptions should not be expected as the primary unit is still processing the traffic. But we would suggest you to schedule a maintenance window to avoid any problem.
Thank you Waqas, you have confirmed my suspicion. Having someone onsite might not be possible. What if I did things this way:
1. Have two CLI sessions going to the primary
2. #execute ha manage 1
3. Change the ha password on the secondary
4. Change the password on the primary CLI session
5. Done
Seems as though this would be possible.
Hey bigkeoni64,
yes this should work, but you have to make sure there is no typo, as the moment you change the HA password you lose access to the secondary via 'execute HA manage' and will only regain it once the cluster is reformed with the new cluster password - and the cluster can't reform if there is a mismatch/typo somewhere.
What you could consider (to substitute for onsite), is to setup individual HA management for each unit - that way each node would have its own IP you can access individually, and you wouldn't lose access to the secondary even if there is a mismatch in the password for some reason.
An example: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/234765/out-of-band-management
Either way you should make the change during a maintenance window, as there would be a short time the cluster can't connect to each other, which might mean both units consider themselves primary and you have a split-brain scenario temporarily, until the cluster is reformed with the new password.
Hi,
What is the recommended approach for Fortinet FWs hosted on Azure ?
Thanks,
KT
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.