system ha
Use these commands to show detailed information about high availability (HA) clusters such as the status and checksum of synchronized configuration settings and files.
You can also allow CLI access to secondary units. (Secondary units' configurations are normally kept synchronized with the primary.unit. CLI configuration changes on the secondary unit would cause the configurations to diverge, and therefore by default, are not allowed.)
Syntax
diagnose system ha cluster-status
diagnose system ha cluster-detail
diagnose system ha group-cluster-status
diagnose system ha failover
diagnose system ha restore
diagnose system ha sync
diagnose system ha sync-status
diagnose system ha showcsum [all]
diagnose system ha show-db-csum
diagnose system ha showcsum-detail-file
diagnose system ha showcsum-tab-file
diagnose system ha sync-gid-to-secondary <gid_int>
diagnose system ha show-sync-disable-cfg [all]
diagnose system ha unset-sync-disable-cfg
diagnose system ha allow-secondary-cli
|
Variable |
Description |
Default |
|
Allow CLI By default, most settings are kept in sync amongst the devices in FortiMail HA clusters. Secondary units therefore cannot be configured differently, and most CLI FortiMail (global) # set admin-lockout-duration 2 HA secondary can't set attribute admin-lockout-duration Command failed(-38). Error string: If you disable setting sync (see chattr) and want to change the setting on a secondary unit, then log into the secondary unit and enter this command first. To disallow CLI |
|
|
|
Display all fields for which an administrator has manually disabled HA synchronization. If you include the See also chattr. |
|
|
|
Display the HA synchronization checksum for global and protected domain settings. Normally, checksums should match on the primary and secondary if HA sync is successful (for exceptions, see chattr). If you include the |
|
|
|
Enter the GID of a setting to synchronize that specific setting. To get a list of GIDs, enter: |
|
|
|
Display a detailed list of each configuration, file, directory, and database and their HA synchronization statuses. This command is available only on FortiMail HA secondary units. |
|
|
|
Unset all fields to the default HA synchronization status. Caution:Enter this command on both the primary and secondaries. Otherwise their configurations will become out-of-sync. |
|
Example
These examples are on a FortiMail HA primary unit. Normally, when all FortiMail units in the cluster are in sync, the statuses should all be RUNNING/SYNCHRONISED, and the configuration checksums should match (both debugzone and checksum areas of the output). During troubleshooting, however, you can temporarily use chattr sync-disable commands to disable synchonization of individual settings. During that time, on all units, checksums for that part of the configuration temporarily do not match.
FortiMail # diagnose system ha cluster-status
System Time: 2025-05-29 11:37:03 EDT (Uptime: 5d 23h 9m) Cluster Status | Serial Number | Role | Status (HB/Sync) | Active | IP | Last Seen | |------------------+------------+------------------------+--------+------------------------+-----------------| | FEVM04TM00000001 | primary | RUNNING/RUNNING | YES | 172.20.140.226 | 05-29 11:37:03 | | HBS=[OOO.....] | NOTES='' | | RUNNING='' | | FEVM02TM00000002 | secondary | RUNNING/SYNCHRONISED | YES | 172.20.140.229 | 05-29 11:37:02 | | HBS=[OOO.....] | NOTES='' | | SYNCHRONISED='file@11:26:17, directory@11:26:27, domain@11:26:47' | | FEVM04TM00000003 | primary | RUNNING/RUNNING | YES | 172.20.140.46 | 05-29 11:36:59 | | HBS=[O.......] | NOTES='' | | RUNNING='' | | FEVM02TM00000004 | secondary | RUNNING/SYNCHRONISED | YES | 172.20.140.230 | 05-29 11:36:56 | | HBS=[OX......] | NOTES='' | | SYNCHRONISED='file@11:22:35, directory@11:22:41, domain@11:23:21' | |------------------+------------+------------------------+--------+------------------------+-----------------|
FortiMail # diagnose system ha cluster-detail
System Time: 2025-05-29 11:37:12 EDT (Uptime: 5d 23h 9m)
peer status
host-oid=1148 (serial-no=FEVM04TM00000001, ip=172.20.140.226, last-seen=2025-May-29 11:37:12)
state=RUNNING, effective-role=primary
pv={state=SYNCHRONISED;
config-time=;
data-time=;}
sv={state=RUNNING;
config-time=;
data-time=;}
vips={172.20.142.69,2607:f0b0:f:642:172:20:142:67}
metadata={hostname=70, domain=, version=v7.6.3, build792, last-reboot-time=2025-May-23 12:27:59, system-time=2025-May-29 11:37:12, cpu=0%, mem=76%, load=18, logdisk=1%, maildisk=1%}
host-oid=1149 (serial-no=FEVM02TM00000002, ip=172.20.140.229, last-seen=2025-May-29 11:37:11)
state=RUNNING, effective-role=secondary
pv={state=SYNCHRONISED;
config-time=file@now, directory@now;
data-time=;}
sv={state=SYNCHRONISED;
config-time=file@2025-May-29 11:26:17, directory@2025-May-29 11:26:27, domain@2025-May-29 11:26:47;
data-time=;}
vips={172.20.142.69,2607:f0b0:f:642:172:20:142:67}
metadata={hostname=229, domain=, version=v7.6.3, build792, last-reboot-time=2025-May-23 12:28:10, system-time=2025-May-29 11:37:11, cpu=0%, mem=47%, load=11, logdisk=1%, maildisk=1%}
host-oid=1150 (serial-no=FEVM04TM00000003, ip=172.20.140.46, last-seen=2025-May-29 11:36:59)
state=RUNNING, effective-role=primary
pv={state=SYNCHRONISED;
config-time=file@now;
data-time=;}
sv={state=RUNNING;
config-time=;
data-time=;}
vips={}
metadata={hostname=46, domain=, version=v7.6.3, build792, last-reboot-time=2025-May-23 12:43:45, system-time=2025-May-29 11:36:59, cpu=25%, mem=74%, load=17, logdisk=1%, maildisk=3%}
host-oid=1151 (serial-no=FEVM02TM00000004, ip=172.20.140.230, last-seen=2025-May-29 11:36:56)
state=RUNNING, effective-role=secondary
pv={state=SYNCHRONISED;
config-time=file@now, directory@now;
data-time=;}
sv={state=SYNCHRONISED;
config-time=file@2025-May-29 11:22:35, directory@2025-May-29 11:22:41, domain@2025-May-29 11:23:21;
data-time=;}
vips={}
metadata={hostname=230, domain=, version=v7.6.3, build792, last-reboot-time=2025-May-23 12:28:44, system-time=2025-May-29 11:36:57, cpu=0%, mem=48%, load=11, logdisk=4%, maildisk=3%}
active-devices
1146 active=1148:172.20.142.229
1146 erole=1
1146 effective-ip=172.20.142.229
1147 active=1150:172.20.140.46
1147 erole=2
1147 effective-ip=172.20.140.46
FortiMail # diagnose system ha group-cluster-status
System Time: 2025-05-29 11:37:27 EDT (Uptime: 5d 23h 9m) Overall Group Status Effective-Role=primary (we-are-controller=yes) Has-Quorum=yes (is perfect=yes) Effective-Primary-Group=group1 (group-oid=1146) Effective-Primary-Host=70 (host-oid=1148) Group Status | Name | Role | State | Key IP | Active Device | Last Seen | + Member Name | | HB/Sync | Serial Number | Effective IP | | |----------------+------------+-----------------------+---------------------+------------------------------+-----------------| | group1 | primary | RUNNING | 172.20.140.226 | 70@172.20.140.226 | 05-29 11:37:27 | | *70 | primary | RUNNING/RUNNING | FEVM04TM00000001 | 172.20.140.226 | 05-29 11:37:27 | | 229 | secondary | RUNNING/SYNCHRONISED | FEVM02TM00000002 | 172.20.140.229 | 05-29 11:37:26 | | group2 | secondary | RUNNING | 172.20.140.46 | 46@172.20.140.46 | 05-29 11:37:27 | | 46 | primary | RUNNING/RUNNING | FEVM04TM00000003 | 172.20.140.46 | 05-29 11:37:26 | | 230 | secondary | RUNNING/SYNCHRONISED | FEVM02TM00000004 | 172.20.140.230 | 05-29 11:37:23 | |----------------+------------+-----------------------+---------------------+------------------------------+-----------------|
FortiMail # diagnose system ha showcsum
System Time: 2025-05-29 11:37:44 EDT (Uptime: 5d 23h 9m) debugzone global: 0d 5d 4c 5b 01 b4 37 52 a8 08 41 59 7f 83 74 6b ... test.com: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 all: 61 09 6e ae d5 db 6b 61 41 9c b6 a6 7b e4 67 22 checksum global: 0d 5d 4c 5b 01 b4 37 52 a8 08 41 59 7f 83 74 6b ... test.com: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 all: 61 09 6e ae d5 db 6b 61 41 9c b6 a6 7b e4 67 22 70 # diag sys ha showcsum System Time: 2025-05-29 14:12:16 EDT (Uptime: 6d 1h 44m) debugzone global: 0d 5d 4c 5b 01 b4 37 52 a8 08 41 59 7f 83 74 6b ... test.com: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 all: 61 09 6e ae d5 db 6b 61 41 9c b6 a6 7b e4 67 22 checksum global: 0d 5d 4c 5b 01 b4 37 52 a8 08 41 59 7f 83 74 6b ... test.com: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 all: 61 09 6e ae d5 db 6b 61 41 9c b6 a6 7b e4 67 22
FortiMail # diagnose system ha showcsum all
System Time: 2025-05-29 14:12:23 EDT (Uptime: 6d 1h 44m) 2018: c9b4...f5 (private-data) ... 2280: e959...5c (setting) 2609: 0d5d...6b (web-service)
FortiMail # diagnose system ha show-db-csum
System Time: 2025-05-29 11:38:52 EDT (Uptime: 5d 23h 10m) ** HA database data backups checksum: audit_db_account_sync_accounts.dat 0 ... ** HA db snapshot checksum: fe_addressbooks 865a311d ...
FortiMail # diagnose system ha show-sync-disable-cfg
System Time: 2025-05-29 11:42:09 EDT (Uptime: 5d 23h 14m) List of admin modified HA sync-disable settings: system fortiguard.antivirus: override-server-address system fortiguard.antispam: server-override-status
FortiMail # config sys antivirus
FortiMail (antivirus) # chattr ?
sync-disable disable HA sync attribute
sync-display display HA sync attribute
sync-unset set HA sync attribute to default
FortiMail (antivirus) # chattr
Name HA Sync Status antivirus : sync override-server-address : sync-disable (modified)
FortiMail (antivirus) # chattr sync-display
Name HA Sync Status antivirus : sync override-server-address : sync-disable (modified) virus-db : sync-disable override-server-status : sync port : sync scheduled-update-frequency : sync scheduled-update-status : sync ...
FortiMail (antivirus) # chattr sync-disable override-server-status
FortiMail (antivirus) # chattr sync-display
Name HA Sync Status antivirus : sync override-server-address : sync-disable (modified) override-server-status : sync-disable (modified) virus-db : sync-disable port : sync scheduled-update-frequency : sync scheduled-update-status : sync ...
FortiMail (antivirus) # chattr sync-unset override-server-status
FortiMail (antivirus) # chattr sync-display
Name HA Sync Status antivirus : sync override-server-address : sync-disable (modified) virus-db : sync-disable override-server-status : sync port : sync scheduled-update-frequency : sync scheduled-update-status : sync ...
FortiMail (antivirus) # end
FortiMail # diagnose system ha show-sync-disable-cfg
System Time: 2025-05-29 12:03:18 EDT (Uptime: 5d 23h 35m) List of admin modified HA sync-disable settings: system fortiguard.antivirus: override-server-address
FortiMail # diagnose system ha show-sync-disable-cfg all
System Time: 2025-05-29 12:04:30 EDT (Uptime: 5d 23h 36m) List of all HA sync-disable settings: system encryption.private-data system certificate.ca system certificate.crl system certificate.local ...
FortiMail # diagnose system ha unset-sync-disable-cfg
System Time: 2025-05-29 12:09:31 EDT (Uptime: 5d 23h 41m) This operation will clear all manually set 'sync-disable' attributes! You may need to run on other HA members as well. Otherwise it would cause setting out of sync. Are you sure you want to continue? (y/n)y unset sync-disable for 'antivirus:override-server-address'