The following is, if not common, a plausible scenario:
You have a FortiGate unit that you have upgraded from version 4.3.10 to 5.0.1. You want to make it part of an HA cluster so you bring in a new unit of the exact same model and install a fresh copy of the exact same 5.0.1 build of the firmware. You try to join the new machine to the cluster and instead of the hoped for notification that everything went exactly as planned you get a message similar to this:
HA cannot be formed because the internal ports of box-FG100D3G12801021 is in different mode with this box. In order to form HA, please make them in the same mode first.
In the 4.3 firmware the default name for the internal interface was “internal” and it’s type is set to “physical”. In version 5.0.1 or later this interface’s default name has been changed to “lan” and the device type is “hard-switch”. When you upgrade a unit the settings follow through the upgrade but when you either do a fresh install or do a factory reset the settings are set to the default values which are going to be different than those of the unit that has been upgraded.
Solution:
The solution to this error is to change the configuration of the one of the FortiGate units to match the other. Which unit to change to match the other is up to you. One thing that would make sense to consider is which is more likely to be added to the cluster in the future:
- A FortiGate that has been upgraded from 4.3 to a current version
- A FortiGate unit that has a fresh new install of the 5.0.1 or later version of the firmware on it.
If the new install is more likely it would make sense to reconfigure the upgraded unit so that you don’t have to remember to edit the new join to the cluster later on.
The post Potential HA upgrade error due to changes in FortiOS appeared first on Fortinet Cookbook.