Firewall cluster configuration sync problem-fortinet-FortiOS

Knowledge
, ,
#1

Firewall cluster configuration sync problem-fortinet-FortiOS

Vendor: fortinet

OS: FortiOS

Description:
The FGCP normally uses a combination of incremental and periodic synchronization to make sure that the configuration of all cluster units is synchronized. This means that in most cases you only have to make a configuration change once to have it synchronized to all cluster units. Indeni will alert if a problem with the configuration sync status has been identified.

Remediation Steps:

  1. Login via ssh to the Fortinet firewall and run the FortiOS command “diagnose sys ha checksum cluster”. The command output lists all cluster members configuration checksums. If all cluster units have identical checksums then their configurations are synchronized.
    |2. One solution to this problem could be to re-calculate the checksums. The re-calculated checksums should match and the out of sync error messages should stop appearing. You can use the following command to re-calculate HA checksums: “diagnose sys ha checksum recalculate [ | global]”.
    |Just entering the command without options recalculates all checksums. You can specify a VDOM name to just recalculate the checksums for that VDOM. You can also enter global to recalculate the global checksum.
    |3. Verify that the config sync is not manually disabled. The relevant configuration can be found under the “config system ha”. Review the status of the next command “set sync-config”.
    |4. Detailed information and steps to determine what part of the configuration is causing the problem can be found here: https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_failoverSyncConfig.htm#HA out
    |5. Contact Fortinet Technical support at https://support.fortinet.com/ for further assistance.

How does this work?
The script runs the FortiOS command “diagnose sys ha checksum cluster” to retrieve checksum status information.

Why is this important?
When two or more FortiGate units are in an HA cluster they synchronize the configuration and act as a single unit providing redundancy when one of the units fail. The debugzone for all of the units should match for the HA to work properly. More details can be found here: https://kb.fortinet.com/kb/documentLink.do?externalID=FD36176fortigate-high-availability-52/HA_operating.htm

Without Indeni how would you find this?
An administrator can run the FortiOS command “diagnose sys ha checksum cluster” via SSH connection to retrieve the same information.

fortios-diag-sys-checksum-cluster

name: fortios-diag-sys-checksum-cluster
description: FortiGate Cluster Checksum
type: monitoring
monitoring_interval: 10 minutes
requires:
    vendor: fortinet
    os.name: FortiOS
    product: firewall
    high-availability: true
comments:
    ha-cluster-checksum-status:
        why: |
            When two or more FortiGate units are in an HA cluster they synchronize the configuration and act as a single unit providing redundancy when one of the units fail. The checksum for all of the units should match for the HA to work properly. More details can be found here: https://kb.fortinet.com/kb/documentLink.do?externalID=FD36176fortigate-high-availability-52/HA_operating.htm
        how: |
            The script runs the FortiOS command "diagnose sys ha checksum cluster" to retrieve checksum status information.
        can-with-snmp: false
        can-with-syslog: false
    ha-cluster-debugzone-status:
        why: |
            When two or more FortiGate units are in an HA cluster they synchronize the configuration and act as a single unit providing redundancy when one of the units fail. The debugzone for all of the units should match for the HA to work properly. More details can be found here: https://kb.fortinet.com/kb/documentLink.do?externalID=FD36176fortigate-high-availability-52/HA_operating.htm
        how: |
            The script runs the FortiOS command "diagnose sys ha checksum cluster" to retrieve checksum status information.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        command: diagnose sys ha checksum cluster
    parse:
        type: AWK
        file: diag_sys_ha_checksum_status.parser.1.awk

FortinetHaClusterDebugzoneStatusRule

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/fortinet/FortinetHaClusterDebugzoneStatusRule.scala