Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
apex
New Contributor

active-passive firmware upgrade

Hi All, I wonder if you can help me. I' ve got two Fortigate 110C boxes running in an active-passive cluster. They are on the firmware 3.0 and I' d like to upgrade them to 4.0 MR3. I know that I can' t jump directly from 3.0 to 4.0 MR3 and will have to do it step by step, but I was wondering what is the best way to do it. Do I upgrade the master first and slave will automatically get upgraded? or do I have to break the cluster? And do it separately? How does the process look like? Thanks in advance! A
30 REPLIES 30
rwpatterson
Valued Contributor III

Why do you want to work harder? The upgrade takes care of the breakdown/reassembly of the units for you. Just pick your new version, sit back and monitor. If you do feel the need to break the cluster, you introduce the chance for errors and misconfiguration if not put back correctly.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Greg_Tuthill

Hi apex, How did the upgrade go? I am doing the same next week and i' m interested if you had any issues. Cheer Greg
apex

Hi Greg, All went fine as planned. My advise is - have the slave powered down when re-connecting cables at the end, it should be powering up when everything is on it' s own place ;) Cheers, A
rwpatterson
Valued Contributor III

Which method did you use? (Looks like you split them)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Greg_Tuthill

So I have done my upgrade. Here are some details and what I did and the results. HA Pair of Fortigate 110c Starting firmware v4.0 MR1 Patch 2 Upgraded Firmware: v4.0 MR2 Patch 9 Method: Keep the HA Pair together. Login to cluster IP and Upgrade Firmware as normal. Monitor Slave firewall from the serial console. Slave will reboot automatically after upgrade. Monitor cluster from GUI. Wait....no actions for about 10 mins. Master reboot automatically after upgrade. Wait........ Completed Run tests diag error-config-log read etc... So the upgrade was really straight forward, and no read issues afterwards. The part that go me was that the gui doesnt really give you any idea of what is happening for quite a long time. So my advice is to just be patient and monitor the slave from the console so you have some idea that something is actually happening. Have fun!
ede_pfau
SuperUser
SuperUser

No re-config necessary. If you really want to do it this way be sure to isolate both units from any network. You can manage them from a host connected to the internal port (or any other). I still don' t get it why you would do it this way but...it' s your machine.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
apex
New Contributor

Thank you for all your answers, If it was my choice - I would do it the easy way , unfortunately I can' t at this point, so just wanted to make sure I understand the process. THANK YOU, A
rwpatterson
Valued Contributor III

The hard way:[ul]
  • Split the 2 devices. a) live & b) offline
  • Upgrade the versions on each (a & b)
  • Make sure the second (b) has a lower priority (lower number) in the HA section
  • Connect the HA port(s)[/ul] The configuration will come across via the HA connections and sync the 2 units. Some folks here would have you backup the live unit, restore to the offline, and then login and change the configuration to the offline one before reconnecting. (or edit the backup file before uploading if you are proficient in CLI) That will work, but requires a bit more work again.
  • Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
    apex

    Thank you Guys!
    Jan_Scholten
    Contributor

    I' d oppose against breaking up the cluster.. I have done multiple Cluster Updates from 3.X to higher Versions (>>150) and apart from 2 * 60C where one FGT didn' t reboot after new firmware i had no problems.. I don' t really see what you are trying to achive with splitting the cluster, you have double the work, failover will not work gracefully .. .. I did remote upgrades in China and Poland without any hassle.. what i would do: Backup! Have configuration and matching firmware ready, maybe on a USB Stick and use boot from usb if anything fails (probably will not!)
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors