We have 2 1801F firewalls connected in Active-Passive. However these firewalls need to be replaced with 2 brand new Firewalls of the same model. We wish to perform the activity without occurring any downtime. Kindly advise for steps to be taken to perform the activity.
Below my suggestion is based on an assumption you're not using override with different priorities between a-p and you're using session sync. Then it would be:
0. if they're monitoring interfaces, shut down the ports connected to the secondary unit on the switch side
1. shutdown or simply power down the secondary unit and take it out of the network
2. pre-configure HA on New-1 unit and use the same network cables the previous secondary was connected, then wait until it syncs up with the primary unit, then normalize the monitored interfaces (Don't forget!)
3. swap between a-p using a command "diag sys ha reset-uptime" on the PRIMARY unit. If sessions are perfectly synced there shouldn't be noticeable downs. But something might drop and come back up in transition.
4. repeat Step0-2 on the new secondary (old primary) unit with New-2 unit to form a-p with the new pair.
Toshi
Hi Toshi
Thank you for the reply. I have checked the config and the session pickup is not currently enabled and the WAN interface is being monitored (port1). I believe the session pickup needs to be enabled then. Also, the secondary has a priority of 128 and the primary has 250.
I am also wondering why the monitored port needs to be disabled from the switch. Since we are bringing the port back up before swapping active and passive, does it do us any good to bring it down from the switch side?
Below is the current config of the HA if it helps makes things clearer.
config system ha
set group-name "HA-Cluster"
set mode a-p
set password ENC xBSVedcYcgCWszBwXIXeBuSqc9tsDP5Guq1GPm/ykBMzYKGsZ8I2gZg8h1xA93AcuDNH2EEFsaSPRrTorl9BXywxcegymzsu6W0nOlOGyc+0UmkJp7EPaZdCNaWrn5Li9FvcaSrlXrWE1WHyBarVVvCGq0MnDp+WgID1so0TQbbsQ5wXWQRZ0yPcAA2xdMuXzYNolQ==
set hbdev "ha1" 0
set override disable
set priority 250
set monitor "port1"
end
Bader
User | Count |
---|---|
1922 | |
1144 | |
769 | |
447 | |
277 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.