Question about enabling override on HA (active-passive)
Currently moving off Sonicwall to FortiGate. With Sonicwall HA (Active, Standby mode), I am used to the top/primary unit being the active unit in the HA pair and then the second bottom one is just there waiting to kick in if the primary goes down. So if the primary reboots or goes down or whatever, the bottom/secondary kicks in with no interruption and then when the primary comes back online, it automatically switches back to the top/primary unit being active again.
For the FortiGate HA setup, I am doing Active-Passive and setting the top unit as the primary and the bottom unit as secondary. I understand now that it currently goes by uptime on who becomes the primary. I also see that if I configureset override enable, that will force the top / primary unit to always be the active one when it is on.
I guess right now I am just trying to understand the caveats for both setups. Is it ideal for everyone to enable system override or leave it alone? I know it may just be a matter of what we want but I'm sure there's some pro/con with each option.. I guess it really doesn't matter so long as there is no chance of lost config settings with however way it HA is set up.
My main goal is just to have seamless failover/redundancy and ensure no config settings get lost no matter which unit is up or down.
Enabling system override ensures that the top unit always remains the active unit, regardless of the uptime of the two units. This can be useful in situations where you want to have complete control over which unit is active and which is standby, such as when you need to perform maintenance on one of the units and want to ensure that the other unit remains active.
If you do not enable system override, the HA setup will use uptime to determine which unit is active and which is standby. if the top unit has a software or configuration issue that prevents it from functioning properly, you may not be able to fail over to the bottom unit.
As you're probably aware with Sonicwall, the downside of setting up the override is when the cause of the fail-over resolved, like a monitored interface came back up, it automatically fails back and might drop some transitional sessions even if you set the session sync. While it's avoidable if you didn't set the override.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.