Home > fortigate failover > Networking: Part 2: Fortigate Failover Configuration (High Availability Cluster)

Networking: Part 2: Fortigate Failover Configuration (High Availability Cluster)

This is part 2 of a complete failover configuration using Fortigate firewalls security appliances; part 1 being failover internet connections/routes by cost; part 3 is configuring a failover IPSec VPN on the “hub/server” Fortigate and on the “client” Fortigate.

To configure a Fortigate High Availability cluster perform the following steps:

  1. Backup known good config.
  2. Unhook all cables.
  3. Factory reset Slave firewall.
  4. Hook up laptop to the internal int on the Slave firewall.
  5. Config the HA cluster on the Slave.
    1. Set mode into Active-Passive
    2. Enter Group name (FGT_HA)
    3. Enter password (FGT_HA) [not required]
    4. Select Heartbeat interface (DMZ2)
    5. Set a device priority that’s lower than the master/superiors (eg: 100)
    6. Check Enable Session Pick-Up so that active sessions are taken over by the new primary unit. (is “resource intensive” according to the FortiOS Handbook).
  6. Hook up laptop to the internal int on the Master firewall.
  7. Restore known good config (you can restore a config to any firewall, it does not need to be the firewall with the same serial number).
  8. Configure the HA cluster on the Master.
    1. Set mode into Active-Passive.
    2. Enter Group name (FGT_HA)
    3. Enter password (FGT_HA) [not required]
    4. Select Heartbeat interface (DMZ2)
    5. Set a device priority that’s higher than the slave/subordinates (eg: 255)
    6. Optionally, Enable Session Pick-Up.
  9. Unplug power from the Slave firewall.
  10. Hook up a cross-over cable on the heartbeat interface.
  11. Hook up the remaining cables.
  12. Power on the Master firewall.
  13. Allow to boot completely.
  14. When Master firewall is booted, power on Slave firewall.
  15. If you console into the Slave firewall you will see a synchronization error to the count of five (0x3). Then the Slave firewall will reboot automatically. The Master’s config has been replicated to the Slave.
  16. After this you can check the checksums of the configs on both of the cluster members. The CLI commands to do this are:

    diagnose sys ha showcsum
    exe ha manage 1 <–or '0' to connect to slave

For more information, including CLI config options, check out the HA Overview, and the HA Guide docs from Fortinet.

  1. Tom
    August 21, 2012 at 6:46 pm


    this was very usefull! Thanks a lot.
    Just one question, when we turn down one of the internet connections (fiber), we fall on the second one (adsl), so this works fine, but when we bring back the fiber, it doesn’t automatically change back, we need to change to gateway manually on the workstations…
    Any tips or tricks on that one?

  2. August 22, 2012 at 10:04 am

    Hello Tom,

    Thanks very much for the compliment.

    “…change the gateway manually on the workstations” has me concerned that your entire network configuration isn’t proper:

    The two interfaces that you have connecting to your workstation subnet/LAN (one on each HA member, labeled INT in the above diagram) should not have two different IPs, but share a single virtual IP. This “virtual IP,” which is not named as such within the Fortigate, should be the primary gateway that you are assigning to your workstations (hopefully) via DHCP.

    Are you sure your architecture is correct? Feel free to use Gliffy to draw a quick diagram to post back here.

    Verifying this configuration is necessary before moving into the next problem you bring up: analyzing your configured route path weight.



  3. Mike
    April 20, 2013 at 5:10 am


    It’s a good topic.

    But i have a question, i need to add a new fortigate unit into my cluster (active-passive) because the passive node was broken.

    I would like to know if i need to set up the same ip adress on each interface like the master configuration or just plug the hearbeat interface with factory IP configuration to permit the synchronisation of configuration from master unit and after plug all interface when the passive node is member of cluster.

    Thanks for your point of vue.

    Best Regards,


    • April 20, 2013 at 11:13 am

      Thanks for the compliment. Just follow Step 5: making sure the two HA configs are the same, and make the slave a lower device priority than the master. After the slave boots, it will check the HA config, then eventually get the HA config from the HA member with the higher priority (use a serial console cable to watch what happens if you wish); it will then reboot and you should be all set. Both members will then be listed in the web UI as the two member HA pair.

  4. benny
    October 14, 2013 at 3:38 pm

    thank you very much !
    can you tell me the command if i want to make a fail over ?
    i have one active and one standby, i want to switch between them but with out restart

  5. February 7, 2014 at 9:22 am

    Is there something I am doing wrong when I try to set the master firewall to active passive and it continues to default to standalone.

    • February 7, 2014 at 9:30 am

      here is my firmware configuration from the status page
      HA Status Standalone [Configure]
      System Time Fri Feb 7 06:29:33 2014 [Change]
      Firmware Version v4.0,build0521,120313 (MR3 Patch 6) [Update] [Details]

  6. February 7, 2014 at 10:27 am

    Sorry, it looks like I removed my earlier post. But I am having issues with configuring HA between two 80c’s. When I set the Status to Active Passive and make the adjustments to the port to listen to heartbeats, it defaults to standalone. This has happened on both devices, and I am new to fortigate. Any help would be appreciated.

    • February 7, 2014 at 11:14 am

      Either would default to standalone if you didn’t configure one of the steps correctly. Crossover cable? Password? Weights? Name?

  7. February 7, 2014 at 11:15 am

    I think I figured it out. I had factory reset one of the devices and forgot to set the dhcp option to manual. I am doing this in a lab environment and I am new to Fortigate. Thanks for your help.

  8. February 17, 2014 at 7:52 am

    I am currently trying to check the failover between both devices, my question is what’s happening if we keep the same device priority using a active / passive mode?
    I tried it and it seems to keep one as Master.
    My aim is to avoid the failover when we get the connection back.

    Do you have some ideas about it?

    Thanks a lot

    • February 17, 2014 at 8:17 am


      exec ha manage 1
      system ha
      set override disable #this is a default
      exec ha manage 0 #you must set this on each cluster member
      system ha
      set override disable #this is a default

      Take a look at the CLI doc for more information.

      • February 20, 2014 at 4:29 am

        Thanks for your answer!
        I have just tried it, it works perfectly

  9. Juz
    September 16, 2014 at 3:08 pm

    Hi there where can I get part 1 and part 3 from they don’t come up in the search, or listed as older entries. Great blog btw

    • September 19, 2014 at 7:47 am

      Beleive it or not, I never wrote them. I would consider routing failover and VPN failover to be parts 1 and 3.

  10. Aldo López
    December 1, 2014 at 5:52 pm

    vmfortigate you tried?

  11. Kelvin
    January 6, 2015 at 9:36 am

    If let say we have pair of Fortinet with 2 VDOM and would like to turn on HA, how we can make VDOM-1 active in unit-1, and VDOM-2 active in unit-2? Thanks.

    • January 6, 2015 at 4:22 pm

      I’m pretty sure this isn’t possible, as I believe the HA functions at the system/kernel level, and will fail everything over… it sounds like a great question for Fortinet support.

  12. allan
    June 14, 2016 at 12:05 pm

    what is the command if I want to make failover ?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: