FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff
Article Id 192218

Description

 
This article explains how to disconnect a unit from a cluster without disrupting the operation of the cluster by making use of the 'Remove device from HA cluster' button or 'ha disconnect' from CLI. The article shows both the CLI and GUI options from V5.2 to V5.4 and v6.0 to v7.4.
This process will:
• Clean all of the interface's IP configuration. (Collect this information before proceeding.)
• Set the IP address on a specified port, for later access on the device.
• Set the removed device node cluster mode to 'Standalone'.
 
It is not recommended to use this option in cloud environments as devices often have different IP addresses set to each node.

 

Scope

 

FortiGate V5.2 to V5.4 and v6.0 to v7.4.


Solution

 
  1. Procedure for versions V5.6 to V7.4:
  • Log in to the master unit.
  • Go to system HA, and the list of units in the cluster will be displayed.
  • Select the unit to disconnect, and select the button:

 

01.png

  • Once done, select the interface to be configured on the pop-up window.
  • Configure the IP address and netmask.
It is necessary to set a reachable IP address. This IP address will be used to manage the removed device.
After the unit is disconnected, the HA mode is changed to standalone, and all interface IP addresses of the unit are set to 0.0.0.0 except the interface that is configured and it will have all management access options enabled.
 
  • Select 'OK'. The cluster responds as if the disconnected unit has failed.


02.png

 
Use the following command to do this from the CLI:
 
execute ha disconnect FGT800Dxxxxxxxx internal 192.168.1.2 255.255.255.0
 
This command will disconnect the FortiGate with the serial number FGT800Dxxxxxxxx. It will set up the internal interface with the IP 192.168.1.2 and netmask 255.255.255.0.

 

Now, the primary device will still be providing service while it is possible to work on the removed device through the configured IP.

If it is later necessary to join the device back to the cluster, consider the following:

 

  • Reboot the unit before enabling the cluster. This will ensure the uptime will be lower than the current primary device.
  • Lower the 'Device priority' to a value lower than the primary active unit.
  • Re-configure any other custom HA configuration present before like 'Management Interface Reservation'.

 

For example: If the active primary unit has priority 100, it will be necessary to set it to a value lower than that.
The device with the highest priority is more likely to become the HA primary.

 

04.png

After a few minutes, the cluster will sync up the configuration and bring all interface configurations with it.

 
  1. Use the following procedure for versions V5.2 & V5.4:
  • Log to the master unit.
  • Go to system HA. The list of units in the cluster will be displayed. Any unit can be disconnected.
  • Select the unit to disconnect, and use the disconnect button:

 edgar_iconDisc.png

 

  • Select the interface to be configured.
  • Configure the IP address and netmask. After the unit is disconnected, the HA mode is changed to standalone, and all interface IP addresses of the unit are set to 0.0.0.0 except the interface that is configured. It will have all management access options enabled.
  • Select 'OK'. The cluster responds as if the disconnected unit has failed.

edgar_cluster member.png
 
Use the following command to do this from the CLI:
 
execute ha disconnect FGT90D3Zxxxxxxxx internal 192.168.1.99 255.255.255.0
 
This command will disconnect the FortiGate with the serial number FGT90D3Zxxxxxxxx. It will set up the internal interface with the IP 192.168.1.99 and netmask 255.255.255.0.

 

Related articles: