Fortinet black logo

Administration Guide

Upgrading firmware on HA units

Upgrading firmware on HA units

If you are installing or upgrading firmware to a high availability (HA) group, install firmware on the secondary unit/units before installing firmware on the primary unit.

Similar to upgrading the firmware of a standalone FortiMail unit, normal email processing is temporarily interrupted while firmware is being installed on the primary unit, but, if the HA group is active-passive, it is not interrupted while firmware is being installed on secondary units.

Installing firmware on an active-passive HA group does not necessarily trigger a failover. Before a firmware installation, the primary unit signals the secondary unit that a firmware upgrade is taking place. This causes the HA daemon operating on the secondary unit to pause its monitoring of the primary unit for a short time. When the firmware installation is complete, the primary unit signals the secondary unit to resume HA heartbeat monitoring. If the secondary unit has not received this signal after a few minutes, the secondary unit resumes HA heartbeat monitoring anyway, and, if the primary unit has failed during the firmware installation, the HA group fails over to the secondary unit, which becomes the new primary unit.

To upgrade firmware on an active-passive HA pair
  1. Back up configuration on both the primary and secondary units by going to System > Maintenance > Configuration.
  2. Upgrade the firmware on the secondary unit according to the upgrade path specified in the release notes.
  3. The reboot event of the secondary unit will be logged in the primary unit’s HA logs. For details, see Failover scenario 3: System reboot or reload of the secondary unit.

  4. Upgrade the firmware on the primary unit.
  5. The primary unit will send a holdoff command to the secondary unit so that the secondary unit will not take over the primary role during the primary unit’s reboot. For details, see Failover scenario 2: System reboot or reload of the primary unit.

    Optionally, you can manually force a failover to the secondary unit before upgrading the primary unit. But this will cause some unnecessary data synchronization. Therefore, it is recommended to upgrade the primary unit directly during your maintenance window.

  6. Verify the traffic flow on the primary unit.
To upgrade firmware on a config-only HA cluster
  1. Back up configuration on each unit.
  2. Upgrade the firmware on the config-secondary unit one by one according to the upgrade path specified in the release notes.
  3. Lastly, upgrade the firmware on the config-primary unit.
  4. Verify the traffic flow on the cluster.

Upgrading firmware on HA units

If you are installing or upgrading firmware to a high availability (HA) group, install firmware on the secondary unit/units before installing firmware on the primary unit.

Similar to upgrading the firmware of a standalone FortiMail unit, normal email processing is temporarily interrupted while firmware is being installed on the primary unit, but, if the HA group is active-passive, it is not interrupted while firmware is being installed on secondary units.

Installing firmware on an active-passive HA group does not necessarily trigger a failover. Before a firmware installation, the primary unit signals the secondary unit that a firmware upgrade is taking place. This causes the HA daemon operating on the secondary unit to pause its monitoring of the primary unit for a short time. When the firmware installation is complete, the primary unit signals the secondary unit to resume HA heartbeat monitoring. If the secondary unit has not received this signal after a few minutes, the secondary unit resumes HA heartbeat monitoring anyway, and, if the primary unit has failed during the firmware installation, the HA group fails over to the secondary unit, which becomes the new primary unit.

To upgrade firmware on an active-passive HA pair
  1. Back up configuration on both the primary and secondary units by going to System > Maintenance > Configuration.
  2. Upgrade the firmware on the secondary unit according to the upgrade path specified in the release notes.
  3. The reboot event of the secondary unit will be logged in the primary unit’s HA logs. For details, see Failover scenario 3: System reboot or reload of the secondary unit.

  4. Upgrade the firmware on the primary unit.
  5. The primary unit will send a holdoff command to the secondary unit so that the secondary unit will not take over the primary role during the primary unit’s reboot. For details, see Failover scenario 2: System reboot or reload of the primary unit.

    Optionally, you can manually force a failover to the secondary unit before upgrading the primary unit. But this will cause some unnecessary data synchronization. Therefore, it is recommended to upgrade the primary unit directly during your maintenance window.

  6. Verify the traffic flow on the primary unit.
To upgrade firmware on a config-only HA cluster
  1. Back up configuration on each unit.
  2. Upgrade the firmware on the config-secondary unit one by one according to the upgrade path specified in the release notes.
  3. Lastly, upgrade the firmware on the config-primary unit.
  4. Verify the traffic flow on the cluster.