Upgrading firmware on HA units
To ensure HA works properly, the primary unit and the secondary units must be running the same firmware build.
If you are installing or upgrading firmware to a high availability (HA) group, install firmware on the secondary unit/units before installing it on the primary unit.
Similar to upgrading the firmware of a standalone FortiMail unit, normal email processing is temporarily interrupted while firmware is being installed on the primary unit, but, if the HA group is active-passive, it is not interrupted while firmware is being installed on secondary units.
Installing firmware on an active-passive HA group does not necessarily trigger a failover. Before a firmware installation, the primary unit signals the secondary unit that a firmware upgrade is taking place. This causes the HA daemon operating on the secondary unit to pause its monitoring of the primary unit for a short time. When the firmware installation is complete, the primary unit signals the secondary unit to resume HA heartbeat monitoring. If the secondary unit has not received this signal after a few minutes, the secondary unit resumes HA heartbeat monitoring anyway, and, if the primary unit has failed during the firmware installation, the HA group fails over to the secondary unit, which becomes the new primary unit.
To minimize traffic interruption, it's a good practice to force a failover from the primary unit to the secondary unit in active-passive HA before upgrading the firmware on the primary unit. However, when upgrading from FortiMail 7.2 and older releases to 7.4 releases, due to the HA architecture changes, you cannot force a failover from the primary unit to the secondary unit anymore after you upgrade the firmware on the secondary unit and start to upgrade it on the primary unit.
To upgrade firmware on an active-passive HA pair
- Back up configuration on both the primary and secondary units by going to System > Maintenance > Configuration.
- Upgrade the firmware on the secondary unit according to the upgrade path specified in the release notes.
- Upgrade the firmware on the primary unit.
- Verify the traffic flow on the primary unit.
The reboot event of the secondary unit will be logged in the primary unit’s HA logs.
The primary unit will send a command to the secondary unit to wait for the reboot, so that the secondary unit will not take over the primary role during the primary unit’s reboot.
Optionally, you can manually force a failover to the secondary unit before upgrading the primary unit. However this will cause some unnecessary data synchronization. Therefore, it is recommended to upgrade the primary unit directly during your maintenance window.
To upgrade firmware on an active-active HA cluster
- Back up configuration on each unit.
- Upgrade the firmware on the secondary units one by one according to the upgrade path specified in the release notes.
- Lastly, upgrade the firmware on the primary unit.
- Verify the traffic flow on the cluster.