This article describes the behavior when firmware image is uploaded into the Secondary FortiGate. For this example, Only two FortiGate are configured in the HA cluster(Active-Passive mode):
- FGVM04TM24000444 as Primary.
- FGVM04TM24000443 as Secondary.
Scope
FortiGate.
Solution
It is possible to have access to the Secondary device’s GUI/HTTPS by configuring a management interface under HA settings or configuring a management IP under the system interface
In this example, Management IP is configured on the secondary device:
The expected behavior and normal scenario for a firmware upgrade activity involving FortiGate in the HA cluster is to simply upload the firmware image on the Primary. Then Secondary devices in HA are upgraded first, then after all secondary devices are upgraded, a re-election process will happen for the Primary role. Then the original Primary will upgrade its firmware and reboot.
This is what happens when uploading the Firmware image to the Secondary device:
When the firmware is uploaded to the Secondary device (having access to GUI/HTTPS as shown above), the Primary device will upgrade its firmware first.
The CLI console access to both devices to check the activity of the firmware upgrade.
FGVM04TM24000444(Primary): Fortinet1.
FGVM04TM24000443 (Secondary): Fortinet2.
The firmware is uploaded to the Secondary device (FGVM04TM24000443), and as shown on the CLI access, It will be the device that will send the firmware image to other devices(Primary device ‘FGVM04TM24000444’ in this case)
Output of ‘get sys ha status’ on FortiGate Primary after the firmware upgrade:
After the firmware is uploaded on the Primary device ‘FGVM04TM24000444’ (Sent by the secondary device ‘FGVM04TM24000443’ where the firmware was uploaded) and rebooted successfully, the Original primary device can see that:
- The ‘UPGRADE_PRIMARY’ flag has been set for FGVM04TM24000443 (original secondary).
- ‘UPGRADE_SECONDARY’ flag for FGVM04TM24000444 (original primary).
- FGVM04TM24000444 became the primary because it was the only member during the time (FGVM04TM24000443 was upgrading and rebooting).
- FGVM04TM24000444 will become the primary after FGVM04TM24000443 has been upgraded and rebooted (due to the HA reelection process for primary, which depends on the HA override setting).
The original Primary device can see this sequence because it was the first to upgrade and reboot.
When firmware image is uploaded to the original primary (Expected outcome when firmware is uploaded to the Original Primary device):
The output should be like this below on the Secondary device using ‘get sys ha status’. This is the expected outcome where secondary devices should upgrade and reboot first.
- The ‘UPGRADE_PRIMARY’ flag has been set for FGVM04TM24000444 (original primary).
- ‘UPGRADE_SECONDARY’ flag for FGVM04TM24000443 (original secondary).
- FGVM04TM24000443 became the primary because it was the only member during the time (FGVM04TM24000444 was upgrading and rebooting).
- FGVM04TM24000444 will become the primary after it finishes upgrading its firmware and reboots (Depends on the HA override setting).
The original Primary device will not see the sequence that had happened when running ‘get sys ha status’ because it should be the last device to upgrade and reboot.
To avoid this and get the expected results(The secondary device should upgrade and reboot first), Only upload the firmware image on the Primary device. It is not necessary to upload it on the Secondary device as FortiGate configured in HA will do this automatically.