- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: put ha cluster in maintenance mode preventing ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
put ha cluster in maintenance mode preventing split brain scenario
Hi,
i was wondering. Is there a way to put a ha cluster in maintenance mode? With maintenance mode i mean, there will be no response to heartbeat failures for example. Primary member remains active. Secondary remains not active. This would be handy in a situation where there is maintenance on the networking infrastructure between two sites, impacting the hearbeats between the nodes. And we want to prevent split brain scenario's...
Ofcourse, we can shutdown the secundary node. But since the used Fortigates cannot be powered on again remotely without someone going physically onsite to press the power button...
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
-
High Availability
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pnobels ,
As far as I am aware there is not maintenance mode in FortiGate. If you cannot shutdown the secondary node and you do not want the secondary node to take over, you can do the following (if applicable):
1- shutdown/disable all data ports on secondary unit (on the connected switch side, not on the FGT side). In that case the secondary unit will not take over and even if it becomes the primary due to split brain, it will not affect your network data. Bear in mind that if you use the same MGMT IP (not reserved MGMT interface) and the HA breaks between primary and secondary, you might not be able to access secondary unit through MGMT IP remotely.
2- If you disable one or more FortiGate monitored interfaces (on switch side) on the secondary unit, it will not be able to take over. That would not prevent split brain scenarios anyway. [https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HA-Primary-unit-selection-proces... ]
Hope this helps.
Best regards,
---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pnobels ,
As far as I am aware there is not maintenance mode in FortiGate. If you cannot shutdown the secondary node and you do not want the secondary node to take over, you can do the following (if applicable):
1- shutdown/disable all data ports on secondary unit (on the connected switch side, not on the FGT side). In that case the secondary unit will not take over and even if it becomes the primary due to split brain, it will not affect your network data. Bear in mind that if you use the same MGMT IP (not reserved MGMT interface) and the HA breaks between primary and secondary, you might not be able to access secondary unit through MGMT IP remotely.
2- If you disable one or more FortiGate monitored interfaces (on switch side) on the secondary unit, it will not be able to take over. That would not prevent split brain scenarios anyway. [https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HA-Primary-unit-selection-proces... ]
Hope this helps.
Best regards,
---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @pnobels
In addition to @fricci_FTNT 's response, in case you just afraid of losing HB links, you can temporarily add as many low priority HBs as you want on prod links, if you are sure that these prod links are not exposed to connectivity failure.
In such way even if you lose the two main HBs you'll not have split brain.
AEK
AEK
Related Posts
- Multicast Flooding Issue with 100+ Apple... 253 Views
- put ha cluster in maintenance mode... 320 Views
- Fortigate 50E Behind NAT router for... 6829 Views
- VPN Tunnel fail when removing SLAVE... 1947 Views
- BGP failover did not work as... 2932 Views
Labels
-
FortiGate
6,533 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.