Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FTNT_FortiJan
Staff
Staff

Created on ‎07-17-2023 02:48 AM

Article Id 263944

Technical Tip: How to modify interface settings (such as speed or MTU) on a FortiGate HA A-P cluster without downtime

Description This article describes how to modify interface settings on the FortiGate HA A-P cluster without downtime for production traffic, which makes it possible to increase interface speed or replace an SFP module with higher supported speed without disruption. Similarly, MTU size can be modified on the physical or LAG interface to support Jumbo Frames.
Scope FortiGate HA.
Solution
  1. Make sure the secondary unit is in sync with the primary unit and that all monitored interfaces on both cluster members show the 'up' state.

 

Cluster status before the changeCluster status before the change

 

  1. Disable config synchronization by executing the following command on both cluster members (starting with the primary unit). Verify the sync-config is disabled on both cluster members before moving to the interface change steps.

    config system ha

    set sync-config disable

    end

       Primary unit - sync-config disablePrimary unit - sync-config disable 

   Secondary unit - sync-config disableSecondary unit - sync-config disable

 

  1. Modify the required interface settings on the secondary unit (for example: speed, or MTU size to support jumbo frames).

 

Secondary unit - interface changeSecondary unit - interface change

 

  1. Verify the interface shows the 'up' state and that both Rx dropped errors & Rx errors stats are not increasing. Only Rx bytes & Rx packets should increase. In the case of LAG interface settings modification, such as performing an MTU size change to support jumbo frames, verify LACP is negotiated for all physical ports due to a physical interface restart to use the inherited MTU size from the LAG interface. The LACP re-negotiation may take several seconds to change physical ports back to the collecting & distributing state.

 

Secondary unit - Interface statsSecondary unit - Interface stats

 

  1. Once the interface change on the secondary unit is completed and the interface is stable, failover traffic from the former primary unit to the secondary unit and perform basic network connectivity testing.

 

FGT01HA changed role to PrimaryFGT01HA changed role to Primary

 

 

  1. If no issues are present, proceed with the same interface change and verification on the former primary unit (which will currently be in the secondary role).

 

FGT01 in Secondary role - interface changeFGT01 in Secondary role - interface change

 

FGT01 in Secondary role - Interface statsFGT01 in Secondary role - Interface stats

 

  1. Once the interface change on the former primary unit is completed and the interface status is 'up' without increasing Rx errors or drops, failover traffic again to the former primary unit and perform network connectivity testing.

 

FGT01 in Primary role, FGT01HA in Secondary roleFGT01 in Primary role, FGT01HA in Secondary role

 

  1. Enable config synchronization on all cluster members and verify the final HA cluster status.

    NOTE: Always start with secondary unit(s) and then finish with the primary unit. After the change, verify the status of HA config-sync settings on each cluster member one by one to ensure it's enabled.

    config system ha

    set sync-config enable

    end

 

FGT01HA - enabled config-syncFGT01HA - enabled config-sync

 

 

FGT01 - enabled config-syncFGT01 - enabled config-sync

 

FGT01 and FGT01HA - Final cluster statusFGT01 and FGT01HA - Final cluster status
Labels:
965
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.