Description
This article describes how to upgrade a FortiAuthenticator cluster. The process differs from the FortiGate on FortiAuthenticator firmware versions prior to 5.5.0 from the fact that all the units forming the cluster are not automatically upgraded. Each unit must be upgraded independently. The master unit is upgradable from the HTTPS administrative access accessible, from the production network or from the HA cluster IP member address.
Starting from 5.5.0, the FortiAuthenticator HA A-P cluster can be upgraded automatically from the master unit. When upgrading, the user is given the option to upgrade the single unit or to upgrade the entire cluster. If the entire cluster is chosen for upgrade, then the slave unit will be upgraded first, the cluster will perform a failover and upgrade the master unit. Approximately 5 minutes after the successful boot of the secondary unit, the FortiAuthenticator cluster will check which unit has the highest priority and will switch back to the initial master.
The slave unit is HTTPS administratively reachable only via the HA cluster IP member. If the port used for the HA communication is Port2, this requires to have the Port2 subnet reachable from the FortiAuthenticator administrator workstation to be able to launch the upgrade process on the slave unit. It is recommended to have the HA ports connected to a separate switch or a virtual switch so administrative access can be obtained.
Scope
FortiAuthenticator HA A-P cluster
Solution
FortiAuthenticator prior to 5.5.0:
- Connect to the FortiAuthenticator Master unit and select the upgrade option on the dashboard.
- Select Browse to upload the new firmware image and then select OK.
- The following confirmation dialog will be displayed. Select OK.
- The following message indicates that the firmware is uploading.
- After a few seconds, the firmware upgrade will start.
Starting from that point, the slave member will assume the production traffic while the master reboots to complete the upgrade process. Expect approximately 5 minutes to have the production network traffic back the old master unit.
To upgrade the slave HA member, connect to the device using the HA cluster member IP address as defined in the GUI menu below and operate the previous steps to upgrade the firmware.
To upgrade the slave HA member, connect to the device using the HA cluster member IP address as defined in the GUI menu below and operate the previous steps to upgrade the firmware.
Wait 5 minutes until the slave finishes the upgrade process and the HA cluster rebuild is complete.
Connect to the Master unit and check the HA status dashboard widget to validate the FortiAuthenticator HA cluster is operational.
Connect to the Master unit and check the HA status dashboard widget to validate the FortiAuthenticator HA cluster is operational.
FortiAuthenticator 5.5.0 and newer
- Connect to the FortiAuthenticator Master unit and select the upgrade option on the dashboard.
- Select 'Choose File' to upload the new firmware image and then select OK.
- The following confirmation dialog will be displayed. Select OK.
- The following message indicates that the firmware is uploading.
- After a few seconds, the FortiAuthenticator will prompt a message to save a backup of the current configuration as a best practice. Then choose the HA upgrade type:
- SELF: Perform upgrade of only this node’s firmware
- BOTH: Perform a coordinated upgrade of both cluster members
After selecting 'Start Upgrade', the process should complete automatically.
- After starting the upgrade, the slave node will be upgraded first.
- After upgrading the slave, the FortiAuthenticator HA cluster will perform a failover to the upgraded slave and will start upgrading the initial master node.
- A login screen for the FortiAuthenticator will be displayed when the upgrade is complete. After a few minutes, the cluster should be formed.
After approximately 5 minutes the FortiAuthenticator cluster will check which unit has the highest priority and will switch back to the initial master.
FortiAuthenticator 6.3.0 and newer.
- Connect to the FortiAuthenticator Master unit.
- Go to System -> Administration -> Firmware Upgrade. Select 'Upload a file' to upload the new firmware image and then select 'OK'.
- The following confirmation dialog will be displayed. Select 'OK'.
- The following message indicates that the firmware is uploading.
- After a few seconds, the FortiAuthenticator will prompt a message to save a backup of the current configuration as a best practice. Then choose the HA upgrade type:
- Single: Perform an upgrade of only this node’s firmware.
- Coordinated: Perform a coordinated upgrade of both cluster members.
After selecting 'Start Upgrade' the process should complete automatically.
- After starting the upgrade, the slave node will be upgraded first.
- After upgrading the slave, the FortiAuthenticator HA cluster will perform a failover to the upgraded slave and will start upgrading the initial master node.
After approximately 5 minutes the FortiAuthenticator cluster will check which unit has the highest priority and will switch back to the initial master.
Tested with the latest firmware in the lab:
FortiAuthenticator HA Active - Passive coordinated upgrade :
- Upgrade FortiAuthenticator HA cluster from v6.5.3 to v6.6.0.
- Upgrade flow is as described above.
At this moment Secondary node has finished the upgrade and taking the primary role.
The primary node starting the upgrade now.
Verify HA status:
