Frustrations of an All-In-One admin – Fortigate HA upgrade

So, a few days ago, I scheduled an upgrade of a Fortigate HA pair from 6.2.3 to 6.4.5.
The task was to be performed remotely but the car was all fueled up, permission to access the premisses in case of trouble was given, the maintenance window was long enough, all images that I was going to need were downloaded to a local VM including the 6.2.3 version in case I need to roll back. And of course, a backup of the configuration was taken.
The HA pair was configured as Active Passive and according to design, one ping should be lost only during the upgrade but this is not true.

Frustration number one. After v6 all the upgrades have a downtime. How an HA upgrade should work and it worked on versions 5… The Secondary device is upgraded first, rebooted, all if all is ok, then the Primary device is upgraded and rebooted, while the Secondary takes over. When the Primary is up again, it takes over and you may lose a ping or two but that’s it.
I guess HA does not mean High Availability, at least during upgrades, because this, is no longer the case. When the Primary unit is rebooted, the Secondary does not take over…. Anyway, as I had a long maintenance window, I did not care much, so I issued the commend to upgrade to 6.4.2 (as instructed according to the official upgrade path) and I waited the (3-4) x 2 minutes for the Master/Primary unit to boot up. When the unit booted up, the Secondary on the HA pair was not visible any longer and the unit could not connect to the internet. Excellent… Hop on the car, drive to location and connect with my trusted USB to Serial and blue Cisco console cable to the Secondary/Slave Unit.

Frustration number two. config system ha and show ….. Nothing…ok, it lost the ha configuration… get system status Current HA mode: STANDALONE. How nice! Two units with exactly the same IP configuration fighting which one is better… Keep calm and copy paste… I change the cable to the Primary unit, copy the ha configuration to a notepad, change the priority to something less and paste it to the Secondary unit. Simple, right? Well…. No. The heartbeat interface was set to one of the management ports. set hbdev “MGMT2” throughs me an error that it can’t be used as a heartbeat interface. Wait what? I just copied the config from the Primary unit and it was accepted there…

Anyway, to cut the long story short, I changed the heartbeat interface to something else and the HA was recovered and the following upgrades went through without a hitch.

Conclusion. Do not use the MGMT interfaces for heartbeat if you are running versions 6.4.

Questions to Fortinet.
1. Why there is no documentation (at least I did not find any) that the management interface can not be used for heartbeat?
2. When you are upgrading the unit why there is no check on the commands that do not work? Specially with the HA and the conversion of the Secondary unit to Standalone is at least dangerous.
3. Why the Primary unit accepted the command?

Don’t get me wrong. I love the Forti* products. They are good value for money, I suggest them to friends and colleagues but I run into some issues that should not have passed their Quality Control.

Region 41 is back

After almost 20 years for me, a bit less for some others, Fidonet returns to Greece.

At the moment I am the sole participant but I am sure others will join soon as Nodes, Points etc.

What do you need to get back on?

First a Mailer/Tosser/Editor. I am using for the moment D’Bridge 3.99 SR14 , which you can download from http://www.net229.org/dbridge.htm

You will need a Win32 system (I am using Win7 VM  but it can run on XP, Windows Server 2003, 2008 as long as they are 32bit)

I can help a bit with the configuration but I, by no means, am an expert so I expect that I will get some help too.

Other software exist like fidoip for Linux and Windows https://sourceforge.net/projects/fidoip/

BBBS Would like to test this when I have time… https://www.bbbs.net/

Both D’Bridge and fidoip use BinkP as a protocol and BinkD as a mailer.

FrontDoor is still out there but under development https://reboot.defsol.com/ & https://www.defsol.com and still not compatible with BinkP protocol

If you just want to be a point you can buy (1USD) Aftershock for Android. Sets up in 1 minute.

If you want to become a node you will need also:

  1. A nodelist: http://many-glacier.dtdns.net/nodelist/
  2. A workstation or VM that runs the software that replies to an IP address or FQDN on port 24554 (BinkP) 
  3. To be added to the nodelist 

So… if you are interested, send me the details of your System and I will add you as a point or node.

Examples can be found in the nodelist but here is a sample

Region,41,Greece,GR,Petros_Argyrakis,-Unpublished-,300,CM,MO,XX,INA:pargyrak.dyndns.org,IBN
;
Host,410,Hellas_Net,GR,Petros_Argyrakis,-Unpublished-,300,CM,MO,XX,INA:pargyrak.dyndns.org,IBN
,9,VM/SP,Thessaloniki,Petros_Argyrakis,-Unpublished-,300,CM,MO,XX,INA:pargyrak.dyndns.org,IBN

Node_Number,Node_Name_FirstName_LastName,Phone_Number,Baud_rate,Flags

The flags are explained in the nodelist but CM is for Continuous Mail, MO for Mail Only, XX for the Mailer version, IBN for the Binkley Protocol and INA for the FQDN

Also send me your preferred password for session, areafix and filefix. 8 characters capitals only

Publishing photos

After trying many different plugins I opted for Fotobook to get the albums from my Facebook and NexGen Gallery for other Albums.

FLAGallery, which is very impressive uses flash which is not working for IOS devices and also is not working very well behind my firewall