Upgrading cluster firmware
You can upgrade the FortiOS firmware running on an HA cluster in the same manner as upgrading the firmware running on a standalone FortiGate. During a normal firmware upgrade, the cluster upgrades the primary unit and all subordinate units to run the new firmware image. The firmware upgrade takes place without interrupting communication through the cluster.
|Upgrading cluster firmware to a new major release (for example upgrading from 5.6.3 to 6.0.2) is supported for clusters. Make sure you are taking an appropriate upgrade path. Even so you should back up your configuration and only perform such a firmware upgrade during a maintenance window.|
To upgrade the firmware without interrupting communication through the cluster, the cluster goes through a series of steps that involve first upgrading the firmware running on the subordinate units, then making one of the subordinate units the primary unit, and finally upgrading the firmware on the former primary unit. These steps are transparent to the user and the network, but depending upon your HA configuration may result in the cluster selecting a new primary unit.
The following sequence describes in detail the steps the cluster goes through during a firmware upgrade and how different HA configuration settings may affect the outcome.
- The administrator uploads a new firmware image from the GUI or CLI.
- If the cluster is operating in active-active mode load balancing is turned off.
- The cluster upgrades the firmware running on all of the subordinate units.
- Once the subordinate units have been upgraded, a new primary unit is selected.
This primary unit will be running the new upgraded firmware.
- The cluster now upgrades the firmware of the former primary unit.
If the age of the new primary unit is more than 300 seconds (5 minutes) greater than the age of all other cluster units, the new primary unit continues to operate as the primary unit.
This is the intended behavior but does not usually occur because the age difference of the cluster units is usually less than the cluster age difference margin of 300 seconds. So instead, the cluster negotiates again to select a primary unit as described in Primary unit selection with override disabled (default).
You can keep the cluster from negotiating again by reducing the cluster age difference margin using the
ha-uptime-diff-marginoption. However, you should be cautious when reducing the age or other problems may occur. For information about the cluster age difference margin, see Cluster age difference margin (grace period). For more information about changing the cluster age margin, see Changing the cluster age difference margin.
- If the cluster is operating in active-active mode, load balancing is turned back on.
|If, during the firmware upgrade process all of the subordinate units crash or otherwise stop responding, the primary unit will not be upgraded to the new firmware, but will continue to operate normally. The primary unit waits until at least one subordinate unit rejoins the cluster before upgrading its firmware.|
Changing how the cluster processes firmware upgrades
By default cluster firmware upgrades proceed as uninterruptable upgrades that do not interrupt traffic flow. If required, you can use the following CLI command to change how the cluster handles firmware upgrades. You might want to change this setting if you are finding uninterruptable upgrades take too much time.
config system ha
set uninterruptible-upgrade disable
uninterruptible-upgrade is enabled by default. If you disable
uninterruptible-upgrade the cluster still upgrades the firmware on all cluster units, but all cluster units are upgraded at once; which takes less time but interrupts communication through the cluster.
If the firmware build running on a FortiGate that you add to a cluster is older than the cluster firmware build, you may be able to use the following steps to synchronize the firmware running on the new cluster unit.
This procedure describes re-installing the same firmware build on a cluster to force the cluster to upgrade all cluster units to the same firmware build.
Due to firmware upgrade and synchronization issues, in some cases this procedure may not work. In all cases it will work to install the same firmware build on the new unit as the one that the cluster is running before adding the new unit to the cluster.
To synchronize the firmware build running on a new cluster unit
- Obtain a firmware image that is the same as build already running on the cluster.
- Connect to the cluster using the GUI.
- Go to the System Information dashboard widget.
- Select Update beside Firmware Version.
You can also install a newer firmware build.
- Select OK.
After the firmware image is uploaded to the cluster, the primary unit upgrades all cluster units to this firmware build.