FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sreddi
Staff
Staff
Article Id 196696

Description

 

This article describes the usage of the 'execute ha failover set' command to perform a forced failover on an HA primary unit.

The unit will stay in a failover state regardless of the conditions.
The only way to remove the failover status is by manually turning it off.
Note that this is only used for testing, troubleshooting, and demonstrations. Do not use it in a production environment.

For more suitable options to use, see Technical Tip: Different options to trigger an HA failover (FGCP).

 

Scope

 

FortiGate.

Solution

 

To set the failover flag:

 

Run this command on the Active unit:

 

execute ha failover set 1
 Caution: This command will trigger an HA failover.
 It is intended for testing purposes.
 Do you want to continue? (y/n)y

 

To check the failover status:

 

execute ha failover status
failover status: set

 

To view the system status of a unit in forced HA failover:

 

get system ha status
HA Health Status: OK Model: FortiGate-300D
Mode: HA A-P
Group: 240
 Debug: 0
 Cluster Uptime: 0 days 2:11:46
Cluster state change time: 2020-03-12 17:38:04
 Master selected using:
 FGT3HD3914-----3 is selected as the master because it has EXE_FAIL_ OVER flag set.
 FGT3HD3914-----9 is selected as the master because it has the largest value of override priority.
ses_pickup: disable
override: enable
Configuration Status:
 FGT3HD3914-----9(updated 4 seconds ago): in-sync
FGT3HD3914-----3(updated 3 seconds ago): in-sync
 System Usage stats:
 FGT3HD3914-----9(updated 4 seconds ago):
sessions=5, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=30%
 FGT3HD3914-----3(updated 3 seconds ago):
 sessions=41, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=30%

 

To stop the failover status:

 

execute ha failover unset 1
Caution: This command may trigger an HA failover.
It is intended for testing purposes. Do you want to continue? (y/n)y

 

To view the system status of a device after forced HA failover is disabled:

 

get system ha status
HA Health Status: OK
Model: FortiGate-300D
 Mode: HA A-P
 Group: 240
Debug: 0
Cluster Uptime: 0 days 2:14:55
Cluster state change time: 2020-03-12 17:42:17
Master selected using:
 FGT3HD3914-----9 is selected as the master because it has the largest value of override priority.
 FGT3HD3914-----3 is selected as the master because it has EXE_FAIL_ OVER flag set.
FGT3HD3914-----9 is selected as the master because it has the largest value of override priority.
ses_pickup: disable
override: enable
 Configuration Status:
FGT3HD3914-----9(updated 3 seconds ago): in-sync
 FGT3HD3914-----3(updated 2 seconds ago): in-sync
System Usage stats:
 FGT3HD3914-----9(updated 3 seconds ago):
 sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=30%
FGT3HD3914-----3(updated 2 seconds ago):
 sessions=38, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=30%

 

Note:

The unit will stay in a failover state (Backup) regardless of the conditions. But when the new Active unit fails for whatever reason (such as during a hardware failure or a reboot), the failover state (Backup) unit takes over traffic once again as a standalone until the former FortiGate re-joins the cluster. 

Once the unit joins the cluster, it will take over the Active role again.

!Caution: when using this command, do not add a factory reset unit to the cluster, as it will wipe the config of the existing unit which has this flag set.

 

For example:

 

Consider an example with two FortiGates, FortiGate A and FortiGate B.

  • Currently, A is the Active (Primary) unit.
  • When performing the command 'execute ha failover set 1' on unit A, unit B will become the Active (Primary) unit.
  • In case, B fails for whatever reason (such as in a hardware failure or reboot), A will take over the Active role. However, the moment B comes online in the cluster, it will take over as the Active (Primary) unit.