githubfoam/fortigate - HA mode cheat sheet

## fortigate - HA mode cheat sheet
#=====================================================================
#how to power off fortigate cluster
#unplug the power cables as there is no power buttons

shut down first the secondary(backup unit)
Unit-1 # execute ha manage 1                 {To switch to the backup unit}
Unit-2 $                                     {Now on the backup unit}
Unit-2 $ execute shutdown                    {To shut down the backup unit}
This operation will shutdown the system !
Do you want to continue? (y/n)y
Unit-1 #                                     {Automatically returned to the master unit}

shut down first the primary(master unit)

Unit-1 # execute shutdown                    {To shut down the master unit}
This operation will shutdown the system !
Do you want to continue? (y/n)y

#=====================================================================
diag sys ha checksum cluster #verify the HA checksum to make sure the HA is in sync
diagnose sys ha hadiff status	#Show a HA diff:
diagnose sys ha reset uptime	#Execute a fail-over
get system checksum status	#Show HA checksum
get system ha status	#Show HA status
#=====================================================================
TAUDMZFW02 (setting) # set
HA-logs                                 Enable/disable HA logs in alert email
#=====================================================================
#config system ha # switch to HA mode
(ha) #sh full # show full configuration
(ha) # end

#=====================================================================
#access secondary unit of HA cluster via CLI


# execute ha manage [ID] [username] #the primary unit CLI

# execute ha manage 1 EXAMPLE   < ----- 1 is the ID of secondary unit and EXAMPLE is the admin username.


# show full-configuration system ha

Using the CLI of the primary FortiGate, you can connect to any secondary CLI:
# execute ha manage <cluster_id> <Admin_Username>

To list index numbers for each FortiGate device, use a question mark:
# execute ha manage ?
<id>    please input peer box index.
<1>     Subsidary unit FGVM0100000xxxxx


#=====================================================================
#Upgrading FortiGates in an HA cluster

#upgrade the firmware on an HA cluster in the same way as on a standalone FortiGate
#During a firmware upgrade, the cluster upgrades the primary unit and all of the subordinate units to the new firmware image


Before upgrading a cluster,

back up your configuration (Configuration backups)
schedule a maintenance window
make sure that you are using a supported upgrade path (https://docs.fortinet.com/upgrade-tool).
#=====================================================================
#Downloading a firmware image

Log into the support site with your user name and password.
Go to Support > Firmware Download.
download and review the Release Notes for the firmware version that you are upgrading your FortiGate unit to.

Select the Download tab.
Navigate to the folder for the firmware version that you are upgrading to.
Find your device model on the list
#=====================================================================
#Configure Local-In-Policy in HA mode

#view current config
FW02 # config firewall local-in-policy
FW02 # show

FW02 # config firewall local-in-policy
FW02 (local-in-policy) # edit 1
new entry '1' added
FW02 (1) # set ha-mgmt-intf-only en
FW02 (1) # set intf mgmt
FW02 (1) # set srcaddr MGMT_IPS
FW02 (1) # set action accept
FW02 (1) # set dstaddr Primary_Mgmt
FW02 (1) # set service GUI_8080 HTTP HTTPS
FW02 (1) # set schedule always
FW02 (1) # end


By default it is “DENY” policy (2)

FW02 (local-in-policy) # edit 2
new entry '2' added
FW02 (2) # set ha-mgmt-intf-only en
FW02 (2) # set intf mgmt
FW02 (2) # set srcaddr all
FW02 (2) # set dstaddr Primary_Mgmt
FW02 (2) # set service GUI_8080 HTTP HTTPS
FW02 (2) # set schedule always
FW02 (2) # end

FW02 (local-in-policy) # delete 2  #Delete Local-In-Policy, WARNING first delete policy!!
FW02 (local-in-policy) # delete 1


#multiple interfaces
FW02 (2) # set dstaddr Primary_Mgmt,Secondary Mgtm
#=====================================================================
Best practice for administrative access on mgmt interface
HTTPS,SSH enable
HTTP,PING disable
#=====================================================================
#How to revert HA cluster unit to the previous firmware image
#In some cases, firmware upgrades cause unexpected issues and reverting to the previous image is a fast fix worth considering

#FortiGate has two boot partitions on its flash drive to store firmware images and configuration files.
#When Fortigate firmware is upgraded, the new firmware image is stored on one partition (which becomes primary)
#while the previous firmware image will still be stored on another partition as a backup image (secondary).


#perform a quick roll-back of the FortiGate firmware:


        FGT# diag sys flash list

        FGT# execute set-next-reboot secondary

        FGT# exec reboot

These commands are not synchronized and must be used on each and every FortiGate unit member of the cluster.
The units will boot with the newly selected firmware image and the HA master will be selected according to FortiOS HA master election

Direct console access, or cable access to a port, or dedicated management interface is strongly recommended for each of the units in the cluster.

If the units are not rebooted at the same time, then after reboot the cluster may no longer form, and create a split-brain scenario.
Second unit may not be reachable through '# exec ha manage'

#=====================================================================
#Selecting an alternate firmware for the next reboot
# In HA environments, the command needs to be applied to each unit in the cluster individually.
# This is not synchronized and will not automatically take effect on other units in the cluster.

#lists the FortiOS image files installed in both partitions
# partition 1 can be seen to be active and holds the current firmware (6.4.3, while the secondary is on 6.4.4)
    FGT # diag sys flash list
    Partition    Image                       TotalSize(KB)   Used(KB)  Use%    Active
    1            FGT61E-6.04-FW-build1778-201021    253920      87604   35%    Yes
    2            FGT61E-6.04-FW-build1803-201209    253920      88660   35%    No
    3            ETDB-84.00660                     3021708     200120    7%    No
    Image build at Dec  9 2020 22:27:52 for b1803

#To revert to the previous or other firmware use the following commands through the CLI and select which firmware should be used at the next reboot:
#Primary and Secondary simply refer to the partition number 1 or partition number 2 respectively. Partition number 3 can be ignored.

    FGT# execute set-next-reboot {primary | secondary} <-----In this example it will be secondary.
    FGT# execute set-next-reboot secondary
    Default image is changed to image# 2.

#Once the secondary partition that is to be used to boot the device has been selected, reboot the FortiGate
FGT # execute reboot

#verify that the FortiGate has rebooted from the secondary partition. [See the example below].

    FGT # diag sys flash list
    Partition    Image                       TotalSize(KB)   Used(KB)  Use%    Active
    1            FGT61E-6.04-FW-build1778-201021    253920      87604   35%    No
    2            FGT61E-6.04-FW-build1803-201209    253920      88660   35%    Yes
    3            ETDB-84.00660                     3021708     200120    7%    No
    Image build at Dec  9 2020 22:27:52 for b1803
#=====================================================================
You can force HA failover on a primary device:
# execute ha failover set <cluster_id>

Forced failover on primary device:
# execute ha failover set 1
Caution: This command will trigger an HA failover.
It is intended for testing purposes.
Do you want to continue? (y/n)y

To view failover status
# execute ha failover status
failover status: set

To view the system status of a device in forced HA failover:
# get system ha status

To stop the failover status:
# execute ha failover unset 1

To view the system status of a device after forced HA failover is disabled:
# get system ha status
#=====================================================================
Checking the Configuration Synchronization

Run the following command on the cluster member(s):
 # diagnose sys ha checksum
   cluster       Show HA cluster checksum
   show          Show HA checksum of logged
		     in FortiGate
   recalculate   Re-calculate HA checksum

All peers must have the same sequences of checksum numbers
#=====================================================================
Checking the Status of the HA Using the CLI

diagnose sys ha status
#=====================================================================
	#=====================================================================
	#how to power off fortigate cluster
	#unplug the power cables as there is no power buttons

	shut down first the secondary(backup unit)
	Unit-1 # execute ha manage 1 {To switch to the backup unit}
	Unit-2 $ {Now on the backup unit}
	Unit-2 $ execute shutdown {To shut down the backup unit}
	This operation will shutdown the system !
	Do you want to continue? (y/n)y
	Unit-1 # {Automatically returned to the master unit}

	shut down first the primary(master unit)

	Unit-1 # execute shutdown {To shut down the master unit}
	This operation will shutdown the system !
	Do you want to continue? (y/n)y

	#=====================================================================
	diag sys ha checksum cluster #verify the HA checksum to make sure the HA is in sync
	diagnose sys ha hadiff status #Show a HA diff:
	diagnose sys ha reset uptime #Execute a fail-over
	get system checksum status #Show HA checksum
	get system ha status #Show HA status
	#=====================================================================
	TAUDMZFW02 (setting) # set
	HA-logs Enable/disable HA logs in alert email
	#=====================================================================
	#config system ha # switch to HA mode
	(ha) #sh full # show full configuration
	(ha) # end

	#=====================================================================
	#access secondary unit of HA cluster via CLI


	# execute ha manage [ID] [username] #the primary unit CLI

	# execute ha manage 1 EXAMPLE < ----- 1 is the ID of secondary unit and EXAMPLE is the admin username.


	# show full-configuration system ha

	Using the CLI of the primary FortiGate, you can connect to any secondary CLI:
	# execute ha manage <cluster_id> <Admin_Username>

	To list index numbers for each FortiGate device, use a question mark:
	# execute ha manage ?
	<id> please input peer box index.
	<1> Subsidary unit FGVM0100000xxxxx


	#=====================================================================
	#Upgrading FortiGates in an HA cluster

	#upgrade the firmware on an HA cluster in the same way as on a standalone FortiGate
	#During a firmware upgrade, the cluster upgrades the primary unit and all of the subordinate units to the new firmware image



	Before upgrading a cluster,

	back up your configuration (Configuration backups)
	schedule a maintenance window
	make sure that you are using a supported upgrade path (https://docs.fortinet.com/upgrade-tool).
	#=====================================================================
	#Downloading a firmware image

	Log into the support site with your user name and password.
	Go to Support > Firmware Download.
	download and review the Release Notes for the firmware version that you are upgrading your FortiGate unit to.

	Select the Download tab.
	Navigate to the folder for the firmware version that you are upgrading to.
	Find your device model on the list
	#=====================================================================
	#Configure Local-In-Policy in HA mode

	#view current config
	FW02 # config firewall local-in-policy
	FW02 # show

	FW02 # config firewall local-in-policy
	FW02 (local-in-policy) # edit 1
	new entry '1' added
	FW02 (1) # set ha-mgmt-intf-only en
	FW02 (1) # set intf mgmt
	FW02 (1) # set srcaddr MGMT_IPS
	FW02 (1) # set action accept
	FW02 (1) # set dstaddr Primary_Mgmt
	FW02 (1) # set service GUI_8080 HTTP HTTPS
	FW02 (1) # set schedule always
	FW02 (1) # end


	By default it is “DENY” policy (2)

	FW02 (local-in-policy) # edit 2
	new entry '2' added
	FW02 (2) # set ha-mgmt-intf-only en
	FW02 (2) # set intf mgmt
	FW02 (2) # set srcaddr all
	FW02 (2) # set dstaddr Primary_Mgmt
	FW02 (2) # set service GUI_8080 HTTP HTTPS
	FW02 (2) # set schedule always
	FW02 (2) # end

	FW02 (local-in-policy) # delete 2 #Delete Local-In-Policy, WARNING first delete policy!!
	FW02 (local-in-policy) # delete 1


	#multiple interfaces
	FW02 (2) # set dstaddr Primary_Mgmt,Secondary Mgtm
	#=====================================================================
	Best practice for administrative access on mgmt interface
	HTTPS,SSH enable
	HTTP,PING disable
	#=====================================================================
	#How to revert HA cluster unit to the previous firmware image
	#In some cases, firmware upgrades cause unexpected issues and reverting to the previous image is a fast fix worth considering

	#FortiGate has two boot partitions on its flash drive to store firmware images and configuration files.
	#When Fortigate firmware is upgraded, the new firmware image is stored on one partition (which becomes primary)
	#while the previous firmware image will still be stored on another partition as a backup image (secondary).


	#perform a quick roll-back of the FortiGate firmware:


	FGT# diag sys flash list

	FGT# execute set-next-reboot secondary

	FGT# exec reboot

	These commands are not synchronized and must be used on each and every FortiGate unit member of the cluster.
	The units will boot with the newly selected firmware image and the HA master will be selected according to FortiOS HA master election

	Direct console access, or cable access to a port, or dedicated management interface is strongly recommended for each of the units in the cluster.

	If the units are not rebooted at the same time, then after reboot the cluster may no longer form, and create a split-brain scenario.
	Second unit may not be reachable through '# exec ha manage'

	#=====================================================================
	#Selecting an alternate firmware for the next reboot
	# In HA environments, the command needs to be applied to each unit in the cluster individually.
	# This is not synchronized and will not automatically take effect on other units in the cluster.

	#lists the FortiOS image files installed in both partitions
	# partition 1 can be seen to be active and holds the current firmware (6.4.3, while the secondary is on 6.4.4)
	FGT # diag sys flash list
	Partition Image TotalSize(KB) Used(KB) Use% Active
	1 FGT61E-6.04-FW-build1778-201021 253920 87604 35% Yes
	2 FGT61E-6.04-FW-build1803-201209 253920 88660 35% No
	3 ETDB-84.00660 3021708 200120 7% No
	Image build at Dec 9 2020 22:27:52 for b1803

	#To revert to the previous or other firmware use the following commands through the CLI and select which firmware should be used at the next reboot:
	#Primary and Secondary simply refer to the partition number 1 or partition number 2 respectively. Partition number 3 can be ignored.

	FGT# execute set-next-reboot {primary \| secondary} <-----In this example it will be secondary.
	FGT# execute set-next-reboot secondary
	Default image is changed to image# 2.

	#Once the secondary partition that is to be used to boot the device has been selected, reboot the FortiGate
	FGT # execute reboot

	#verify that the FortiGate has rebooted from the secondary partition. [See the example below].

	FGT # diag sys flash list
	Partition Image TotalSize(KB) Used(KB) Use% Active
	1 FGT61E-6.04-FW-build1778-201021 253920 87604 35% No
	2 FGT61E-6.04-FW-build1803-201209 253920 88660 35% Yes
	3 ETDB-84.00660 3021708 200120 7% No
	Image build at Dec 9 2020 22:27:52 for b1803
	#=====================================================================
	You can force HA failover on a primary device:
	# execute ha failover set <cluster_id>

	Forced failover on primary device:
	# execute ha failover set 1
	Caution: This command will trigger an HA failover.
	It is intended for testing purposes.
	Do you want to continue? (y/n)y

	To view failover status
	# execute ha failover status
	failover status: set

	To view the system status of a device in forced HA failover:
	# get system ha status

	To stop the failover status:
	# execute ha failover unset 1

	To view the system status of a device after forced HA failover is disabled:
	# get system ha status
	#=====================================================================
	Checking the Configuration Synchronization

	Run the following command on the cluster member(s):
	# diagnose sys ha checksum
	cluster Show HA cluster checksum
	show Show HA checksum of logged
	in FortiGate
	recalculate Re-calculate HA checksum

	All peers must have the same sequences of checksum numbers
	#=====================================================================
	Checking the Status of the HA Using the CLI

	diagnose sys ha status
	#=====================================================================
No results found