Fortinet Document Library

Version:


Table of Contents

About FortiGate for OCI

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on OCI

Deploying FortiGate-VM using Terraform

Security Fabric Connector Integration with OCI

Resources

Upgrade Path Tool
6.0.0
Copy Link

Troubleshooting

To validate your HA configuration sync you can issue:

diagnose sys ha checksum show

OCI components in FortiOS come with their own daemon, including debug output. This can be invoked with:

diagnose debug application ocid -99

Diagnose commands can be displayed with:

diagnose test application ocid -1

1. show HA stats

2. SDN api test

3. HA api test

4. filter list test

99. restart

You can verify that the following diagnose command works for the ocid daemon:

On FortiGate A:

diag test application ocid 1

ocid stats:

master: 1

On FortiGate B:

diag test application ocid 1

ocid stats:

master: 0

SDN api test is practical to see whether your sdn-connector configuration can successfully authenticate and issue commands to OCI Management.

Running HA api test on production environments is not recommended. This may lead your cluster to a mixed state. Use it only to see whether ocid daemon successfully sends failover commands to OCI Management.

If you have performed any modifications to your CLI configuration, restart your ocid daemon by running the following commands:

diag test application ocid 99

ocid start

By default, all configuration between firewalls is synchronized. Since some settings, especially NAT, are node-specific, you may want to disable synchronization.

config system ha

set sync-config disable

end

Resources

Troubleshooting

To validate your HA configuration sync you can issue:

diagnose sys ha checksum show

OCI components in FortiOS come with their own daemon, including debug output. This can be invoked with:

diagnose debug application ocid -99

Diagnose commands can be displayed with:

diagnose test application ocid -1

1. show HA stats

2. SDN api test

3. HA api test

4. filter list test

99. restart

You can verify that the following diagnose command works for the ocid daemon:

On FortiGate A:

diag test application ocid 1

ocid stats:

master: 1

On FortiGate B:

diag test application ocid 1

ocid stats:

master: 0

SDN api test is practical to see whether your sdn-connector configuration can successfully authenticate and issue commands to OCI Management.

Running HA api test on production environments is not recommended. This may lead your cluster to a mixed state. Use it only to see whether ocid daemon successfully sends failover commands to OCI Management.

If you have performed any modifications to your CLI configuration, restart your ocid daemon by running the following commands:

diag test application ocid 99

ocid start

By default, all configuration between firewalls is synchronized. Since some settings, especially NAT, are node-specific, you may want to disable synchronization.

config system ha

set sync-config disable

end