Configuration changes lost when HA override enabled

Configuration changes made to an HA cluster can be lost if HA override is enabled.

• FortiOS v2.80
• FortiOS v3.0

From the FortiOS CLI you can use the following command to enable or disable HA override:

config system ha
    set override {enable | disable}
end

In FortiOS v2.80 you can also enable or disable Override Master from the web-based manager.

Override is enabled by default for early FortiOS v3.0 maintenance releases.

In FortiOS v2.80 FortiOS v3.0 MR2 and later override is disabled by default.

When override is enabled the cluster may renegotiate and potentially select a new primary unit (master) every time a cluster unit leaves or joins a cluster, every time a cluster unit changes status within a cluster, and every time the HA configuration of a cluster unit changes. Override is enabled so that cluster operation is more dynamic. The cluster is more likely to react immediately to an HA configuration change or other factor that could potentially lead to the cluster selecting a new primary unit.

If override is enabled and you make configuration changes to a cluster these changes can be lost. For example, consider the following sequence:

1. A cluster of two FortiGate units is operating with the following configuration:
   • FGT-A: Primary unit with HA device priority 200 and with override enabled.
   • FGT-B: Subordinate unit with HA device priority 100 and override disabled.
   • When both units are operating, FGT-A always becomes the primary unit because FGT-A has the highest device priority.
2. FGT-A fails and FGT-B becomes the new primary unit.
3. The administrator makes configuration changes to the cluster.
   • The configuration changes are made to FGT-B because FGT-B is operating as the primary unit. These configuration changes are not synchronized to FGT-A because FGT-A is not operating.
4. FGT-A is restored and starts up again.
5. The cluster renegotiates and FGT-A becomes the new primary unit.
6. The cluster recognizes that the configurations of FGT-A and FGT-B are not the same.
7. The configuration of FGT-A is synchronized to FGT-B.

The cluster is now operating with the same configuration as FGT-A. The configuration changes made to FGT-B have been lost.

When override is enabled, you can prevent configuration changes from being lost by doing the following:

• Verify that all cluster units are operating before making configuration changes (from the web-based manager go to System > Config > HA to view the cluster members list or from the FortiOS v3.0 CLI enter get system ha status).
• Make sure the device priority of the primary unit is set higher than the device priorities of all other cluster units before making configuration changes. For example, you might want to keep all device priorities at the default setting and just raise the device priority of the primary unit before making configuration changes.
• Disable override either permanently or until all configuration changes have been made and synchronized to all cluster units

A similar scenario to the above may occur when you use the Disconnect from Cluster option from the web-based manager or the execute ha disconnect command from the CLI to disconnect a cluster unit from a cluster.

Configuration changes can be lost if and when you reconnect the disconnected unit to the cluster. You should make sure that the device priority of the disconnected unit is lower than the device priority of the current primary unit and you should also make sure that override is disabled for the disconnected unit. Otherwise, when the disconnected unit joins the cluster, the cluster will renegotiate and the disconnected unit may become the primary unit. If this happens, the configuration of the disconnected unit is synchronized to all other cluster units and any configuration changes made since the unit was disconnected are lost.