Skip to content

Configure High Availability (HA)

HA pairs two FortiGates so one takes over instantly if the other fails. Two modes:

  • Active-Passive (AP) — one unit handles all traffic; the other syncs config + state and waits. Failover ~1-2 seconds.
  • Active-Active (AA) — both units handle traffic, sessions load-balanced between them. More complex; reserved for high-throughput deployments.

Most installs use Active-Passive.

Before You Start

  • Two identical FortiGate models, same firmware version (exactly, including patch).
  • A dedicated heartbeat link (cross-over cable or VLAN'd port) between them. Two heartbeat links = redundancy.
  • Both connected to the same LAN/WAN networks (same physical ports going to the same switches).
  • An HA license is NOT required by Fortinet for basic HA; it's built in (unlike some competitors).
  • Plan a virtual MAC and FortiGate Cluster Group ID (any number 1-255 that's unique on the LAN).

Topology

       [WAN]
         |
      [Switch]
       /     \
 [FG-A]======[FG-B]    <-- heartbeat links (hb1 dedicated, hb2 backup)
       \     /
      [Switch]
         |
       [LAN]

Both FortiGates connect to the same switches. The active unit owns the virtual MAC; failover migrates the virtual MAC to the standby.

Steps

Configure FortiGate A first, then B.

On FortiGate A (primary)

  1. System → HA.
  2. Fill in:
    • ModeActive-Passive.
    • Device Priority200 (higher = preferred primary).
    • Group Namecluster-1. Same on both units.
    • Password — shared secret. Same on both.
    • Session pickup — Enable (so sessions survive failover).
    • Monitor interfaces — pick the WAN + LAN interfaces. If a monitored interface fails, HA fails over.
    • Heartbeat Interfaces — pick port3 and port4 (or whatever your dedicated heartbeat ports are).
    • Heartbeat Interface Priority — set per-interface; lower = preferred.
  3. Apply.

On FortiGate B (standby)

  1. System → HA.
  2. Same as A, EXCEPT:
    • Device Priority100 (lower).
  3. Apply.

Verify cluster formation

get system ha status

Should show Sync: in-sync and both units, with FG-A as primary.

The standby unit's GUI is read-only and shows the primary's config (since they're synced).

📸 Screenshot needed

System → HA → Cluster Members view showing both units green + primary/secondary roles.

CLI Equivalent

config system ha
    set group-name "cluster-1"
    set mode a-p
    set password ENC ...
    set hbdev "port3" 50 "port4" 100
    set session-pickup enable
    set ha-mgmt-status enable
    set override disable
    set priority 200       # on the standby: 100
    set monitor "wan1" "internal"
end

Verify

get system ha status
# Look for:
#   Cluster Uptime: ...
#   Cluster state: works
#   Master: FG60ETK1234567 -- "this device" if A
#   Slave: FG60ETK7654321
#   Sync: in-sync

Test failover:

# On the primary, force failover:
diagnose sys ha reset-uptime
# Or unplug WAN cable and watch the standby take over within 2 seconds.

Common Issues

  • Cluster won't form. Mismatched firmware (must be identical), mismatched group name/password, no heartbeat connectivity. Check physical heartbeat link.
  • "Out of sync." Different firmware, OR uncommitted config on one. Force resync: execute ha synchronize all.
  • Split-brain after network partition. Both think they're primary. Bad outcome. Heartbeat interfaces must be reliable (dedicated, not VLAN'd over the main switch).
  • VMAC issues at gateway. Upstream/downstream switches cache MAC for old primary. Gratuitous ARP usually fixes; if not, wait for ARP timeout (~5 min) or run arping from a host.
  • Failover takes too long. Tune monitor interval / dead time, or check upstream LAG/STP convergence.