This page outlined the process to be followed when upgrading the FortiGate firewall clusters.
Always perform the firmware upgrade onsite due to the risk of something going wrong and requiring manual intervention. Or have a technician on site if you are unable to be there. Make sure the yourself or the technican have local copies of all firmware versions and configuration files in case network access is lost.
- Plug onsite laptop into local switch on the correct VLAN in order to connect to network (Investigate prior what port is free and on the correct VLAN)
- Plug console cable into FortiGates to monitor output.
- RDP to one of the trusted hosts
- Have FTP server running on the laptop so you can download config backups from SSH. (Suggest “Quick n Easy FTP Server”)
- Take config backup of both Cluster members using ftp, its not enough just to have a config backup of the master as this can be troublesome when you need to recover the slave with the masters configuration file.
- #execute backup config ftp configp.conf 192.168.90.xx user password
- #get sys ha status (to show node id and cluster status)
- #execute ha manage 1 (or 0) (depending on above output to change console to either the master or slave)
- #execute backup config ftp configs.conf 192.168.90.xx user password
- Upload/Download firmware files to the management server so you can upload to the firewall when you are ready.
- Ensure both cluster members show the same checksum’s to ensure they are both in sync, both cluster members should have identical checksums.
- diagnose system ha cluster-csum
- diagnose system ha cluster-csum
- Restart slave device to prove it will reboot and join the cluster correctly (laptop with console connection with see progress of slave syncing files with master, can take a while)
- get sys ha status (to show node id and cluster status)
- execute ha manage 1 (or 0) (depending on above output)
- execute reboot
- Once rebooted and syncd’s files with master correctly and is part of the cluster again, force ha failover and reboot the other cluster device. (This command may not work correctly. For Loyalty, the Master will always pre-empt the slave and assume the master role. Ideally this won’t happen until it is done manually to avoid unexpected results. An alternative method is to manually change the priority of the slave to be greater than the master)
- diagnose system ha reset-uptime (on slave)
- execute reboot
- Once both devices are in sync and part of the cluster you can proceed with the firmware upgrade. You must follow the FortiGate recommended upgrade path which can be found here.
- Ensure cluster members are in sync
- #diagnose system ha cluster-csum
- #diagnose system ha cluster-csum
- By using the Firewall Web GUI perform the firmware upgrade and monitor HA status and device status. Cluster members will failover and upgrade firmware as to reduce downtime. (You may notice a longer period of downtime (10-15sec) when the master is updated)
- When firmware upgrade is complete confirm HA status of the cluster
get sys ha status
get sys stat (view firmware version via CLI - Take configuration backup after each firmware upgrade if performing multiple upgrades in the supported upgrade path.
If there is a flash read/write failure on firmware upgrade then following the below process. Confirm this process for the type of model you are using. (To be performed on site)
- Connect to console port using Putty, connect ethernet port on laptop to MGMT1 for tftp.
- Start TFTP32 server application on laptop. Can also use FTP
- Reboot device and interrupt boot sequence when prompted.
- Format Device and interrupt boot sequence again when prompted
- Load Firmware image from TFTP server (laptop)
- Firmware will load with default settings.
- Upload most current config from tftp (laptop)
- #exec restore config tftp filename.conf TFTP.SERVER.IP user password
- Wait for slave to sync with master.
marktugbo.com 