Enquiry about missing analysis and delay during FortiSandbox firmware upgrade
I'd like to verify FortiSandbox behavior which is integrated with FortiMail.
Scenario : FortiMail is integrated with FSA1(Primary) – FSA2(Slave) – FSA3(Worker).
When upgrading FSA firmware, devices with operations in the queue cannot send samples to VMs to scan and are expected to wait for the upgrade to complete. As a consequences, FortiMail has a scan timeout and delivers or quarantines mail.
But the customer wants the service to be uninterrupted without missing analysis and delay during firmware upgrade.
Q1. When the master device distributes jobs, is it possible to not distribute jobs to specific HA node?
Q2. Is there any other way to prevent missing analysis and mail delays when upgrading device with analysis queues?
Q3. I understand that when upgrading firmware, sandboxes need to upload a rating engine.
Which of the following is the most preferred upgrade best practice?
1. Every time (3.1.3 > 3.1.4 > 3.2.0 +Uploading a rating engine> 3.2.3 + Uploading a rating engine> 4.0.2 b0074+Uploading a rating engine > 4.0.2 b4125 +Uploading a rating engine)
2. Once (3.1.3 > 3.1.4 > 3.2.0 > 3.2.3 > 4.0.2 b0074 > 4.0.2 b4125 + Uploading a rating engine)
Any input or insights would be greatly appreciated!
Regarding your Questions, Q1.: No this is not possible distribute jobs to specific HA node. Only if you remove the Node from the Cluster and re-add it when needed. Q2.: Upgrade the Worker First so the Secondary will Work in the Meantime, then upgrade the Secondary so the Worker will work during the upgrade & last upgrade the Primary so Secondary will become Primary & handle the traffic. Q3.: Preferably follow the upgrade path & when you reach the preferred version then finalize it by uploading the Rating Engine.
If you have any further questions please let me know.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.