If you are installing or upgrading firmware to a high availability (HA) group, install firmware on the secondary unit/units before installing firmware on the primary unit.
Similar to upgrading the firmware of a standalone FortiMail unit, normal email processing is temporarily interrupted while firmware is being installed on the primary unit, but, if the HA group is active-passive, it is not interrupted while firmware is being installed on secondary units.
Installing firmware on an active-passive HA group does not necessarily trigger a failover. Before a firmware installation, the primary unit signals the secondary unit that a firmware upgrade is taking place. This causes the HA daemon operating on the secondary unit to pause its monitoring of the primary unit for a short time. When the firmware installation is complete, the primary unit signals the secondary unit to resume HA heartbeat monitoring. If the secondary unit has not received this signal after a few minutes, the secondary unit resumes HA heartbeat monitoring anyway, and, if the primary unit has failed during the firmware installation, the HA group fails over to the secondary unit, which becomes the new primary unit.
- Back up configuration on both the primary and secondary units by going to System > Maintenance > Configuration.
- Upgrade the firmware on the secondary unit according to the upgrade path specified in the release notes.
- Upgrade the firmware on the primary unit.
- Verify the traffic flow on the primary unit.
The reboot event of the secondary unit will be logged in the primary unit’s HA logs. For details, see Failover scenario 3: System reboot or reload of the secondary unit.
The primary unit will send a holdoff command to the secondary unit so that the secondary unit will not take over the primary role during the primary unit’s reboot. For details, see Failover scenario 2: System reboot or reload of the primary unit.
Optionally, you can manually force a failover to the secondary unit before upgrading the primary unit. But this will cause some unnecessary data synchronization. Therefore, it is recommended to upgrade the primary unit directly during your maintenance window.
- Back up configuration on each unit.
- Upgrade the firmware on the config-secondary unit one by one according to the upgrade path specified in the release notes.
- Lastly, upgrade the firmware on the config-primary unit.
- Verify the traffic flow on the cluster.