Posted inGoodies Goodies | Fortinet

Restore a configuration backup on a FortiGate HA cluster

When restoring a configuration backup on a High Availability (HA) cluster, the process should be performed only on the primary unit. The configuration will then automatically synchronize with the secondary unit. This applies to both active-active and active-passive HA setups.

Steps:

  1. In the web GUI, locate the dropdown menu at the top-right corner (where the admin account name is displayed).
  2. Select Configuration -> Restore to proceed with the restoration process.

Important Note:

Ensure that the backup is taken using a Super Admin account. If a backup is created with another admin profile, it may not contain the Super Admin account, potentially causing HA synchronization issues.

2. Select the Upload button and select the configuration backup to be restored.

3. Select OK to proceed, then OK again when the reboot warning is shown.

Important Considerations for Restoring Configuration on an HA Cluster

Reboot Behavior

When restoring a configuration to a High Availability (HA) cluster, all members will reboot simultaneously after confirming the reboot warning. This is similar to restoring the configuration on multiple standalone FortiGate devices at once. If avoiding a full cluster reboot is necessary, refer to the Alternative Method section below.

After the reboot, the HA cluster will re-establish itself, and all units will have the restored configuration.

Restoring from a Secondary Unit

If the HA Reserved Management Interface is configured, the configuration can be restored through the GUI of a secondary unit. The process functions the same as restoring from the primary unit—causing all cluster members to reboot and apply the configuration.

Behavior Based on Cluster State

The outcome of a configuration restore depends on whether the member is isolated or part of the cluster at the time of restoration:

  • Restoring to a Cluster with Multiple Members:
    • Member-specific settings such as HA priority and hostname are ignored.
    • The backup does not need to be taken from the exact same member—each device applies only the relevant synchronized settings.
  • Restoring to an Isolated Member (Alternative Method):
    • The isolated unit applies the full configuration file, rather than only the synchronized sections.

For cases requiring individual configuration restoration without triggering a full HA reboot, consider using the alternative method.

Alternative Method for Restoring Configuration to an HA Cluster (Avoiding Full-Cluster Reboot)

If restoring the configuration without rebooting all HA cluster members is required, each FortiGate unit must be updated individually. This method ensures a safe restoration by fully isolating each unit before applying the configuration, preventing network disruptions or split-brain scenarios. However, on-site access is necessary to manually disconnect and reconnect cables.

Step-by-Step Process:

  1. Ensure Local Access to the FortiGate
    • The on-site technician must have a way to connect to the FortiGate while it is disconnected from the network.
    • A direct wired connection from a laptop to a management port or another interface is recommended for administrative access.
  2. Isolate the HA Secondary Unit from the Network
    • Disconnect all non-heartbeat network connections from the HA Secondary FortiGate to prevent it from unintentionally becoming the HA master.
  3. Disconnect HA Heartbeat Interfaces
    • This step fully isolates the secondary unit from the HA cluster and the network.
  4. Restore Configuration to the Isolated Unit
    • The on-site technician should connect to the isolated FortiGate’s web GUI and follow the standard configuration restore steps.
    • The device will reboot as part of the restoration process.
  5. Review and Update Device-Specific Settings
    • Once the reboot completes, verify and adjust settings unique to each device, including:
      • Hostnames
      • HA priority and override settings
      • HA reserved management interfaces and addresses
    • Repeat this process for each HA Secondary unit before moving on to the HA Primary.
  6. Swapping the Restored Unit into the Network
    • To replace the current HA Primary:
      • Disconnect the data cables from the existing HA Primary one at a time.
      • Simultaneously connect each cable to the previously isolated and now-restored FortiGate.
      • This will cause a brief disruption, but it will be significantly shorter than a full cluster reboot.
    • Keep the heartbeat interfaces disconnected between the HA Primary and the restored unit during this process.
  7. Restore Configuration to the Former HA Primary
    • With the old HA Primary now isolated, follow the same steps to restore its configuration.
  8. Reconnect HA Heartbeat Interfaces and Finalize the Cluster
    • Once all units have been restored, reconnect the heartbeat cables to allow the HA cluster to re-form.
    • Restore all data connections, completing the process.
  9. Verify the Configuration Restore
    • After restoring the configuration, confirm that all settings have been correctly applied.
    • To troubleshoot any configuration errors, run the following command:
diagnose debug config-error-log read

This command helps identify and resolve any potential issues in the configuration.