Tips on HA upgrades
-
Follow the Upgrade Path. https://docs.fortinet.com/upgrade-tool/fortigate
-
Review Release Notes, check Known issues to see if there may be a problem with your configuration.
-
Back up full configuration with local super_admin level account.
-
Review the crash logs for any firewall issues and generally look around to make sure Fortigate is working well before upgrading (e.g. routing protocols status, VPN tunnels, CPU load)
-
Physical/console access for the device. Someone on site who can issue a remote connection (e.g. via teamviewer or teams)
-
Have plan and time for rollback.
-
Have the necessary firmware at hand. Check if tftp/USB pendrive works fine.
-
Back up the configuration – both plain text and encrypted (only the encrypted configuration includes certificates).
-
After the update, check the configuration and consistency of operation. Someone on site should test the network (wifi and lan), check accesses to individual resources that should work from given vlans
-
Be patient – upgrade can take up to 30 minutes. To reduce the nerves during the upgrade, connect with a console cable to the device and opserwatch the status in the console.
-
Don’t worry about the HA failover time. Failover mainly causes 4-5 seconds of downtime if everything goes smoothly. The downtime experienced by end-customers can be longer depending on the topology – for example, if there are BGP peer connections, they will be reset and return to established state as soon as BGP timers are configured. So it can take 30 seconds or longer to bring BGP routes back online.