Fortigate HA upgrade with VDOM partitioning

Author
stranger_83
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/11/23 01:38:43
  • Status: offline
2018/12/04 04:30:13 (permalink)
0

Fortigate HA upgrade with VDOM partitioning

Hello!
 
Does anyone have  experience with upgrade of two Fortigate in HA Active/Passive mode with VDOM partitioning when there are two or more vclusters and despite Active/Passive mode on hardware firewalls, some VDOMs are Active on one firewall and some are  Active on another. So, in fact, it`s working as Active-Active. Such topology is called "virtual clustering with two VDOMs and VDOM partitioning"
 
I`m thinking on procedure with uninterruptible-upgrade but my concern is how Fortigate cluster will behave itself in this case.
 
For Active/Passive deployment uninterruptible-upgrade first occurs on subordinate unit, however, i my case it will be active for some VDOMs. Will cluster correctly perform failover of all VDOMs to the primary node  prior to start upgrade the subordinate node and vice versa when subordinate unit is upgraded and started?
 
Thank you
 
 
#1
lobstercreed
Bronze Member
  • Total Posts : 33
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: Fortigate HA upgrade with VDOM partitioning 2018/12/04 08:40:14 (permalink)
0
I don't have experience with that, but I'll be curious to know what you find out.  Here's how I would expect it to work:
 
The subordinate FG on the root VDOM will be upgraded first, causing any VDOM's that were primary on it to fail over to the root VDOM's primary FG.  (You could probably force them to fail over via CLI beforehand if you were concerned about when that would happen.)  Once the root VDOM's subordinate FG finishes upgrading, the root VDOM's primary FG will upgrade and all VDOMs will fail over to the root VDOM's subordinate FG.
 
As long as you have validated your HA configuration, there should just be two tiny outages as the HA fails back and forth.  This is basically the same as it would work with one VDOM.  I'm curious if you find that it works differently.
 
Thanks - Daniel Hamilton
#2
SgtMalicious
Bronze Member
  • Total Posts : 19
  • Scores: 6
  • Reward points: 0
  • Joined: 2013/12/17 16:10:14
  • Status: offline
Re: Fortigate HA upgrade with VDOM partitioning 2018/12/04 10:19:32 (permalink)
5 (1)
This is how I run a pair of fortigates and I've upgraded them a few times in the past several years. As I recall, the secondary unit will migrate its active VDOMs over to your primary unit before upgrading and then all of the VDOMs will get migrated to your secondary unit while the primary is upgrading. Once everything is upgraded the VDOMs that typically run on your primary unit will migrate back to it. Just make sure you back up your configuration files from each unit in case things go sideways.
#3
Jump to:
© 2018 APG vNext Commercial Version 5.5