|
By the current FortiManager design for the FortiGate HA cluster, if the configuration is not identical between the primary and secondary unit (as some configuration sections can be unique for each cluster member - for more details see the related article at the end).
After the FortiGate HA failover, FortiManager will not push a configuration change to the new primary unit to avoid installing a unique configuration of the former primary unit to the new primary unit of the cluster.
An example of such an error can be as below:
error -999 - invalid value - [line 9] > set hostname PrimaryUnit [HA configuration is not allowed to be changed in HA mode]
In the case of encountering this behavior, it is possible to fail-back the firewall cluster to have the original unit back in the primary role.
To avoid such issues, it is possible to enable the HA priority to override setting to make sure whenever the primary firewall is available/suitable for this role it will be always the primary unit.
Related articles:
Technical Tip: HA FortiGate configurations that will sync and will not sync.
Technical Tip: FortiGate HA Primary unit selection process when override is disabled vs enabled.
|
