Fortinet black logo

Administration Guide

Upgrading firmware on HA units

Upgrading firmware on HA units

If you are installing or upgrading firmware to a high availability (HA) group, install firmware on the slave unit/units before installing firmware on the master unit.

Similar to upgrading the firmware of a standalone FortiMail unit, normal email processing is temporarily interrupted while firmware is being installed on the master unit, but, if the HA group is active-passive, it is not interrupted while firmware is being installed on slave units.

Installing firmware on an active-passive HA group does not necessarily trigger a failover. Before a firmware installation, the master unit signals the slave unit that a firmware upgrade is taking place. This causes the HA daemon operating on the slave unit to pause its monitoring of the master unit for a short time. When the firmware installation is complete, the master unit signals the slave unit to resume HA heartbeat monitoring. If the slave unit has not received this signal after a few minutes, the slave unit resumes HA heartbeat monitoring anyway, and, if the master unit has failed during the firmware installation, the HA group fails over to the slave unit, which becomes the new master unit.

To upgrade firmware on an active-passive HA pair
  1. Back up configuration on both the master and slave units by going to System > Maintenance > Configuration.
  2. Upgrade the firmware on the slave unit according to the upgrade path specified in the release notes.
  3. The reboot event of the slave unit will be logged in the master unit’s HA logs. For details, see Failover scenario 3: System reboot or reload of the secondary unit.

  4. Upgrade the firmware on the master unit.
  5. The master unit will send a holdoff command to the slave unit so that the slave unit will not take over the master role during the master unit’s reboot. For details, see Failover scenario 2: System reboot or reload of the primary unit.

    Optionally, you can manually force a failover to the slave unit before upgrading the master unit. But this will cause some unnecessary data synchronization. Therefore, it is recommended to upgrade the master unit directly during your maintenance window.

  6. Verify the traffic flow on the master unit.
To upgrade firmware on a config-only HA cluster
  1. Back up configuration on each unit.
  2. Upgrade the firmware on the config-slave unit one by one according to the upgrade path specified in the release notes.
  3. Lastly, upgrade the firmware on the config-master unit.
  4. Verify the traffic flow on the cluster.

Upgrading firmware on HA units

If you are installing or upgrading firmware to a high availability (HA) group, install firmware on the slave unit/units before installing firmware on the master unit.

Similar to upgrading the firmware of a standalone FortiMail unit, normal email processing is temporarily interrupted while firmware is being installed on the master unit, but, if the HA group is active-passive, it is not interrupted while firmware is being installed on slave units.

Installing firmware on an active-passive HA group does not necessarily trigger a failover. Before a firmware installation, the master unit signals the slave unit that a firmware upgrade is taking place. This causes the HA daemon operating on the slave unit to pause its monitoring of the master unit for a short time. When the firmware installation is complete, the master unit signals the slave unit to resume HA heartbeat monitoring. If the slave unit has not received this signal after a few minutes, the slave unit resumes HA heartbeat monitoring anyway, and, if the master unit has failed during the firmware installation, the HA group fails over to the slave unit, which becomes the new master unit.

To upgrade firmware on an active-passive HA pair
  1. Back up configuration on both the master and slave units by going to System > Maintenance > Configuration.
  2. Upgrade the firmware on the slave unit according to the upgrade path specified in the release notes.
  3. The reboot event of the slave unit will be logged in the master unit’s HA logs. For details, see Failover scenario 3: System reboot or reload of the secondary unit.

  4. Upgrade the firmware on the master unit.
  5. The master unit will send a holdoff command to the slave unit so that the slave unit will not take over the master role during the master unit’s reboot. For details, see Failover scenario 2: System reboot or reload of the primary unit.

    Optionally, you can manually force a failover to the slave unit before upgrading the master unit. But this will cause some unnecessary data synchronization. Therefore, it is recommended to upgrade the master unit directly during your maintenance window.

  6. Verify the traffic flow on the master unit.
To upgrade firmware on a config-only HA cluster
  1. Back up configuration on each unit.
  2. Upgrade the firmware on the config-slave unit one by one according to the upgrade path specified in the release notes.
  3. Lastly, upgrade the firmware on the config-master unit.
  4. Verify the traffic flow on the cluster.