Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    Home FortiAnalyzer 7.0.0 New Features
    7.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.3
    6.2.2
    6.2.1
    6.2.0

    FortiAnalyzer HA graceful upgrade

    FortiAnalyzer HA graceful upgrade

    With this new feature, FortiAnalyzer HA supports graceful upgrading to avoid log loss, and also allow a trial period of the new image and support roll-back to the existing firmware if the new image has any issues.

    In the following example, FortiAnalyzer HA is being upgraded from version 6.4.5 to 7.0.0, and contains two members: FAZ-1 is the Primary and FAZ-2 is the Secondary.

    Note

    Graceful upgrade is only supported when upgrading from 6.4.5 and above to version 7.0.0 and later.

    Data conversion depends on each application using this framework to do the conversion between the different versions. In 7.0.0, only incident conversion is supported when syncing from a higher level version to lower level version.
    To update FortiAnalyzer HA gracefully:
    1. Upgrade FAZ-2, the Secondary unit, to the new version. In this example, FAZ-2 is upgraded from version 6.4.5 to 7.0.0.
    2. After FAZ-2 is up and running, check that there are no critical crashes and that the Primary can still forward logs to the Secondary. Event Alert and Incidents still can be received from 6.4.5 to 7.0.0.
      • To check that there are no critical crashes, use the following CLI command:

        diagnose debug crash read

      • To check that logs are being forwarded, use the following CLI command:

        diagnose test application logfwd 4

      • To create an example to check event alert synchronization, log in to FortiAnalyzer using the wrong password to generate a new local event log, and check on both FAZ-1 and FAZ-2 to confirm that the event alert can be found on both devices.
      • To create an example to check incident synchronization, create a new incident on FAZ-1, then check on FAZ-2 to see if it was correctly synced across devices.
    3. Since both devices are now running on different firmware versions, configuration synchronization is unavailable at this time. You can check this setting using the diagnose ha status command in the FortiAnalyzer CLI.
      In this example, the config sync status is down, and no configuration changes can be synced from the Primary to Secondary unit.

      diagnose ha status

      HA-Status: Primary

      up-time: 11h38m12.811s

      config-sync: Allow

      serial-no: FL-1KE3R16000432

      fazuid: 2626920937

      hostname: FAZ1000E-2

      HA-Secondary HA1000e@192.168.1.90 FL-1KE3R16000419

      ip: 192.168.1.90

      serial-no: FL-1KE3R16000119

      fazuid: 1239922567

      hostname: FAZ1000E

      conn-st: up

      up/down-time: 11h38m10.455s

      conn-msg: firmware version mismatch (v6.4.6-build2363 210531 (GA))

      cfgsync-st: down

      data-init-sync-st: done, 11h37m49.396s

    4. Once FAZ-2 is in data-sync with FAZ-1, an administrator can trigger HA-failover using the CLI to switch FAZ-2 to the Primary role.
      1. In the FortiAnalyzer CLI, enter the command diagnose ha failover to make FAZ-2 the Primary.

        FAZ1000E-1 # diagnose ha failover

      2. Use the command diagnose ha status to confirm the role of FAZ-2 as the new Primary.

        FAZ1000E-2 # diagnose ha status

        HA-Status: Primary

        up-time: 11h38m12.811s

        config-sync: Allow

        serial-no: FL-1KE3R16000432

        fazuid: 2626920937

        hostname: FAZ1000E-2

        HA-Secondary HA1000e@192.168.1.90 FL-1KE3R16000419

        ip: 192.168.1.90

        serial-no: FL-1KE3R16000119

        fazuid: 1239922567

        hostname: FAZ1000E

        conn-st: up

        up/down-time: 11h38m10.455s

        conn-msg: firmware version mismatch (v6.4.6-build2363 210531 (GA))

        cfgsync-st: down

        data-init-sync-st: done, 11h37m49.396s

    5. Now is the time for the administrator to try out the new image on FAZ-2.
      As part of the graceful upgrade, logs can still be forwarded from a higher version (7.0.0) to a lower version (6.4.5) without issue, and incidents are synched from the higher version (7.0.0) to the Secondary running a lower version (6.4.5).
      During this time you should avoid any configuration changes, as they will not be synchronized between versions.
    6. Check the upgrade guide checklist to confirm the new Primary is working as expected.
      After a few hours or a day, FAZ-1 can be upgraded to the new firmware version (7.0.0). After FAZ-1 is upgraded, FAZ-2 will continue to operate as the Primary. You can failover again to return FAZ-1 to operating as the Primary, or keep FAZ-2 as the new Primary.
    Previous
    Next

    FortiAnalyzer HA graceful upgrade

    FortiAnalyzer HA graceful upgrade

    With this new feature, FortiAnalyzer HA supports graceful upgrading to avoid log loss, and also allow a trial period of the new image and support roll-back to the existing firmware if the new image has any issues.

    In the following example, FortiAnalyzer HA is being upgraded from version 6.4.5 to 7.0.0, and contains two members: FAZ-1 is the Primary and FAZ-2 is the Secondary.

    Note

    Graceful upgrade is only supported when upgrading from 6.4.5 and above to version 7.0.0 and later.

    Data conversion depends on each application using this framework to do the conversion between the different versions. In 7.0.0, only incident conversion is supported when syncing from a higher level version to lower level version.
    To update FortiAnalyzer HA gracefully:
    1. Upgrade FAZ-2, the Secondary unit, to the new version. In this example, FAZ-2 is upgraded from version 6.4.5 to 7.0.0.
    2. After FAZ-2 is up and running, check that there are no critical crashes and that the Primary can still forward logs to the Secondary. Event Alert and Incidents still can be received from 6.4.5 to 7.0.0.
      • To check that there are no critical crashes, use the following CLI command:

        diagnose debug crash read

      • To check that logs are being forwarded, use the following CLI command:

        diagnose test application logfwd 4

      • To create an example to check event alert synchronization, log in to FortiAnalyzer using the wrong password to generate a new local event log, and check on both FAZ-1 and FAZ-2 to confirm that the event alert can be found on both devices.
      • To create an example to check incident synchronization, create a new incident on FAZ-1, then check on FAZ-2 to see if it was correctly synced across devices.
    3. Since both devices are now running on different firmware versions, configuration synchronization is unavailable at this time. You can check this setting using the diagnose ha status command in the FortiAnalyzer CLI.
      In this example, the config sync status is down, and no configuration changes can be synced from the Primary to Secondary unit.

      diagnose ha status

      HA-Status: Primary

      up-time: 11h38m12.811s

      config-sync: Allow

      serial-no: FL-1KE3R16000432

      fazuid: 2626920937

      hostname: FAZ1000E-2

      HA-Secondary HA1000e@192.168.1.90 FL-1KE3R16000419

      ip: 192.168.1.90

      serial-no: FL-1KE3R16000119

      fazuid: 1239922567

      hostname: FAZ1000E

      conn-st: up

      up/down-time: 11h38m10.455s

      conn-msg: firmware version mismatch (v6.4.6-build2363 210531 (GA))

      cfgsync-st: down

      data-init-sync-st: done, 11h37m49.396s

    4. Once FAZ-2 is in data-sync with FAZ-1, an administrator can trigger HA-failover using the CLI to switch FAZ-2 to the Primary role.
      1. In the FortiAnalyzer CLI, enter the command diagnose ha failover to make FAZ-2 the Primary.

        FAZ1000E-1 # diagnose ha failover

      2. Use the command diagnose ha status to confirm the role of FAZ-2 as the new Primary.

        FAZ1000E-2 # diagnose ha status

        HA-Status: Primary

        up-time: 11h38m12.811s

        config-sync: Allow

        serial-no: FL-1KE3R16000432

        fazuid: 2626920937

        hostname: FAZ1000E-2

        HA-Secondary HA1000e@192.168.1.90 FL-1KE3R16000419

        ip: 192.168.1.90

        serial-no: FL-1KE3R16000119

        fazuid: 1239922567

        hostname: FAZ1000E

        conn-st: up

        up/down-time: 11h38m10.455s

        conn-msg: firmware version mismatch (v6.4.6-build2363 210531 (GA))

        cfgsync-st: down

        data-init-sync-st: done, 11h37m49.396s

    5. Now is the time for the administrator to try out the new image on FAZ-2.
      As part of the graceful upgrade, logs can still be forwarded from a higher version (7.0.0) to a lower version (6.4.5) without issue, and incidents are synched from the higher version (7.0.0) to the Secondary running a lower version (6.4.5).
      During this time you should avoid any configuration changes, as they will not be synchronized between versions.
    6. Check the upgrade guide checklist to confirm the new Primary is working as expected.
      After a few hours or a day, FAZ-1 can be upgraded to the new firmware version (7.0.0). After FAZ-1 is upgraded, FAZ-2 will continue to operate as the Primary. You can failover again to return FAZ-1 to operating as the Primary, or keep FAZ-2 as the new Primary.
    Previous
    Next