Fortinet black logo

FortiGate-7000E Administration Guide

Home FortiGate / FortiOS 7.4.3 FortiGate-7000E Administration Guide
7.4.3
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5

HA cluster firmware upgrades

HA cluster firmware upgrades

All of the FIMs and FPMs in a FortiGate 7000E HA cluster run the same firmware image. You upgrade the firmware from the primary FIM in the primary FortiGate 7000E .

You can perform a graceful firmware upgrade of an FGCP cluster by setting upgrade-mode to uninterruptible and enabling session-pickup. A graceful firmware upgrade only causes minimal traffic interruption. Use the following command to enable these settings; they are disabled by default. These settings are synchronized.

config system ha

set upgrade-mode uninterruptible

set session-pickup enable

end

When these settings are enabled, the primary FortiGate 7000E primary FIM uploads firmware to the secondary FortiGate 7000E primary FIM, which uploads the firmware to all of the modules in the secondary FortiGate 7000E. Then the modules in the secondary FortiGate 7000E upgrade their firmware, reboot, and resynchronize.

Then all traffic fails over to the secondary FortiGate 7000E which becomes the new primary FortiGate 7000E. Then the modules in the new secondary FortiGate 7000E upgrade their firmware and rejoin the cluster. Unless override is enabled, the new primary FortiGate 7000E continues to operate as the primary FortiGate 7000E.

Normally you would want to set upgrade-mode to uninterruptible to minimize traffic interruptions. But upgrade-mode doe not have to be set to uninterruptible. In fact, if a traffic interruption is not going to cause any problems, you can set upgrade-mode to simultaneous so that the firmware upgrade process takes less time.

As well, some firmware upgrades may not support setting upgrade-mode to uninterruptible. Make sure to review the release notes before running a firmware upgrade to verify whether or not setting upgrade-mode to uninterruptible is supported to upgrade to that version.

Note

To make sure a FortiGate 7000E firmware upgrade is successful, before starting the upgrade Fortinet recommends you use health checking to make sure the FIMs and FPMs are all synchronized and operating as expected.

If you are following a multi-step upgrade path, you should re-do health checking after each upgrade step to make sure all components are synchronized before the next step.

You should also perform a final round of health checking after the firmware upgrade process is complete.

For recommended health checking commands, see the following Fortinet community article:

Technical Tip: FortiGate-6000/7000 Chassis health check commands.

Previous
Next

HA cluster firmware upgrades

All of the FIMs and FPMs in a FortiGate 7000E HA cluster run the same firmware image. You upgrade the firmware from the primary FIM in the primary FortiGate 7000E .

You can perform a graceful firmware upgrade of an FGCP cluster by setting upgrade-mode to uninterruptible and enabling session-pickup. A graceful firmware upgrade only causes minimal traffic interruption. Use the following command to enable these settings; they are disabled by default. These settings are synchronized.

config system ha

set upgrade-mode uninterruptible

set session-pickup enable

end

When these settings are enabled, the primary FortiGate 7000E primary FIM uploads firmware to the secondary FortiGate 7000E primary FIM, which uploads the firmware to all of the modules in the secondary FortiGate 7000E. Then the modules in the secondary FortiGate 7000E upgrade their firmware, reboot, and resynchronize.

Then all traffic fails over to the secondary FortiGate 7000E which becomes the new primary FortiGate 7000E. Then the modules in the new secondary FortiGate 7000E upgrade their firmware and rejoin the cluster. Unless override is enabled, the new primary FortiGate 7000E continues to operate as the primary FortiGate 7000E.

Normally you would want to set upgrade-mode to uninterruptible to minimize traffic interruptions. But upgrade-mode doe not have to be set to uninterruptible. In fact, if a traffic interruption is not going to cause any problems, you can set upgrade-mode to simultaneous so that the firmware upgrade process takes less time.

As well, some firmware upgrades may not support setting upgrade-mode to uninterruptible. Make sure to review the release notes before running a firmware upgrade to verify whether or not setting upgrade-mode to uninterruptible is supported to upgrade to that version.

Note

To make sure a FortiGate 7000E firmware upgrade is successful, before starting the upgrade Fortinet recommends you use health checking to make sure the FIMs and FPMs are all synchronized and operating as expected.

If you are following a multi-step upgrade path, you should re-do health checking after each upgrade step to make sure all components are synchronized before the next step.

You should also perform a final round of health checking after the firmware upgrade process is complete.

For recommended health checking commands, see the following Fortinet community article:

Technical Tip: FortiGate-6000/7000 Chassis health check commands.

Previous
Next