High Availability with two FortiGates


In this recipe, a backup FortiGate unit will be installed and connected to a previously installed FortiGate, to provide redundancy if the primary FortiGate unit fails. This set up, called FortiGate High Availability (HA), improves network reliability.

Before you start the FortiGates should be running the same FortiOS firmware version and interfaces should not be configured to get their addresses from DHCP or PPPoE.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

1. Adding the backup FortiGate unit and configuring HA

If the FortiGates in the cluster will be running FortiOS Carrier, apply the FortiOS Carrier license before configuring the cluster (and before applying other licenses). Applying the FortiOS Carrier license sets the configuration to factory defaults, requiring you to repeat steps performed before applying the license.

Make sure both FortiGates are running the same FortiOS firmware version. Register and apply licenses to the new FortiGate unit before adding it to the cluster. This includes FortiCloud activation and FortiClient licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMS). All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient and VDOMs.

You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party certificates are synchronized to the backup FortiGate.

FortiToken licenses can be added at any time because they are synchronized to all cluster members.


Connect your network as shown in the initial diagram, with Ethernet cables connecting the HA heartbeat interfaces of the two FortiGate units. If your FortiGate unit does not have dedicated HA heartbeat interfaces, you can use different interfaces, provided they are not used for any other function.

A switch must be used between the FortiGates and Internet, and another is required between the FortiGates and the internal network, as shown in the network diagram for this recipe.

Connect to the primary FortiGate and go to System > Dashboard > Status and locate the System Information widget.

Change the unit’s Host Name to identify it as the primary FortiGate.


In the System Information widget, configure HA Status. Set the Mode to Active-Passive and set a Group Name and Password.

Take note of the Device Priority value, which will be used when configuring the backup FortiGate.

Ensure that the two Heartbeat Interfaces are selected and their priorities are both set to 50.


If there are other FortiOS clusters on your network you may need to change the cluster group id using this CLI command.

config system ha
    set group-id 25

Connect to the backup FortiGate and go to System > Dashboard > Status.

Change the unit’s Host Name to identify it as the backup FortiGate.


Configure HA Status and set the Mode to Active-Passive.

Set the Device Priority to be lower than the primary FortiGate. Ensure that the Group Name and Password match those on the primary FortiGate.

Ensure that the two Heartbeat Interfaces are selected and their priorities are both set to 50.


Change the cluster group id if you changed it for the primary unit using this CLI command.

config system ha
    set group-id 25
Connect to the primary FortiGate and go to System > Config > HA to view the cluster information.  
Select View HA Statistics for more information on how the cluster is operating and processing traffic.  

2. Results

Traffic is now passing through the primary FortiGate. However, if the primary FortiGate becomes unavailable, traffic should failover and the backup FortiGate will be processing traffic.

Failover also causes the primary and backup FortiGates to reverse roles, even when both FortiGates are available again.

To test this, ping the IP address using a PC on the internal network. After a moment, power off the primary FortiGate. You will see a momentary pause in the Ping results, until traffic diverts to the backup FortiGate, allowing the Ping traffic to continue.

3. (Optional) Upgrading the firmware for the HA cluster

When a new version of the FortiOS firmware becomes available, upgrading the firmware on the primary FortiGate will automatically upgrade the backup FortiGate’s firmware as well.

Always review the Release Notes and Supported Upgrade Paths documentation before installing new firmware. These documents can be found at the Fortinet Document Library.

Go to System > Dashboard > Status and view the System Information widget.

Now that the FortiGates are in HA mode, their configuration is synchronized and the System Information widget displays information for both units.

Select Backup beside System Configuration. Always remember to back up your configuration before doing any firmware upgrades.

Go to System > Dashboard > Status and view the System Information widget.

Select Upgrade beside Firmware Version. Find the firmware image file that you downloaded and select OK to upload and install the firmware build.

The firmware will load onto both the primary FortiGate unit and the backup unit.

Go to System > Dashboard > Status and verify that the System Information widget shows the new firmware version.  

For further reading, check out High Availability in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
If you have not already installed a FortiGate, see Installing a FortiGate in NAT/Route mode
If these steps don’t start HA mode, make sure that none of the FortiGate’s interfaces use DHCP or PPPoE addressing.
If these steps don’t start HA mode, make sure that none of the FortiGate’s interfaces use DHCP or PPPoE addressing.
If you are using port monitoring, you can also unplug the primary FortiGate’s Internet-facing interface to test failover.
For information about accessing firmware images, see Verifying and updating the FortiGate unit’s firmware.
  • Jitendrab Sharma


    we have two firewall 100D and 200D on same location. can i create HA between them?
    note:- 100D have Active HA port while 200D don’t have HA Port.

    • bdickie

      Hello, for standard FortiOS FGCP HA, both FortiGates must be the same model. So you cannot setup FGCP HA between a 100D and a 200D. Current versions of FortiOS support VRRP which allows you to set up HA among groups of routers (including two FortiGates). I am not sure if this would be a good solution for you, but you can see the following link for more information about VRRP with FortiOS 5.4 (http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_VRRP.htm).

      • Jitendrab Sharma

        As Fortigates 200D doesn’t have Active HA port. so is it possible to configure HA between them.
        if yes then Can you provide manual to configure HA between two FortiGates 200D models?

        • bdickie

          Yes you can configure HA between two FortiGate-200Ds. You can use any ports on the 200Ds for the HA heartbeat. Just make sure you select the same ports on both 200Ds and these ports should not be used for other traffic (they can be used for other traffic but that’s not recommended). Otherwise you can follow the steps of this recipe substituting the ports you select on the 200Ds for HA1 and HA2.

          Using the HA ports in this recipe just makes the configuration easier to explain and understand.

  • Jegan S


    We have two different datacentres located at diff location. we have fiber running between them to route the L2 traffic, Both Data centers using the same IP add ranges.

    we are planning to deploy FortiGate Devices at both Data center and form HA. will it work if we route Sync traffic through existing L2 Path.

  • Felipe Palma

    Is it necessary for the two fortigates to be configured in the same way
    previously? Policy? VPN? interfaces?
    Best Regards!

    • bdickie

      The two FortiGates can have different configurations because once the cluster is established the Primary unit synchronizes its configuration to the backup (or secondary) unit. There is one restriction not mentioned in this recipe and it may or may not apply to you. Both FortiGates must have the same VDOMs (so if you are planning on using VDOMs you should set them up after configuring HA).

  • Sergey Gulyaev

    Is it possible to create HA cluster if we have two nodes working in transparent mode?
    And how synchronisation is configured as we dont have any IP addresses assigned.

    • bdickie

      Yes, HA is fully supported in Transparent mode. The HA heartbeat interfaces use link-local IPv4 addresses (RFC 3927) addresses that cannot be configured in NAT or in Transparent mode. More information about heartbeat interface IP addresses here. http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_failoverHeartbeat.htm (scroll down to the “HA heartbeat interface IP addresses” section. I am not sure this is helpful information as it doesn’t say anything specific about Transparent Mode.)

  • Paul Walth

    Hi all,
    Does an HA (A-P) upgrade is non disruptive?
    Actually I have 9 HA clusters (type 60D, 100D, 200D, 800C) and all are not at the same firmware version but at least in 5.2.x
    Thanks, Paul

  • Torsten

    how to do this in Azure? The Fortigate-HA-template doesn´t fit to our needs…
    Thanks and best regards

  • dave

    How dose this work when you have a fortiswitch and AP on the same network.

  • Trey Fortson

    Is it possible to switch to Active/Active from Active/Passive while it already has configured policies and interfaces?

    • bdickie

      Yes, normally you can switch between active-active and active-passive at any time without changing any other configuration settings or affecting traffic passing through the cluster.

  • Mrdoctor

    Hello, my question is this, to assemble implement the HA, the two units must be registered with the same user account necessarily? Or is it not necessary?


    • bdickie

      As far as I know this shouldn’t matter. You might want to check with support to confirm though.

  • Mrdoctor

    Hello, my question is this, to assemble implement the HA, the two units must be registered with the same user account necessarily? Or should the two devices be registered with the same registration account?

  • Mike Gill

    We are running a pair of 300C’s with firmware v5.0,build0318 (GA Patch 12), 5.0.12. We are starting to notice issues with the HA sync/session state sync when the firewalls are under heavy loads. We have had instances where we see the traffic hitting the external interface but the Fortinet is dropping the traffic “silently” before it hits the DMZ interface due to “Anti spoofing” being activated for up to 20 minutes at a time.

    98% of the time the connection works as it should but several times a day we would have the customer notify us of timeouts happening. We put a wireshark sniffer on a Cisco SPAN port where the external interface connects to the switch, ran a sniffer thru the firewall on the external interface looking for the customer IP, then ran another sniffer thru the firewall on the DMZ port. We would see the traffic hit the external interface but would get this message when the firewall was supposed to pass the traffic from the external interface to the DMZ interface (doing a trace on the customer IP”

    “func=ip_route_input_slow line=1277 msg=”reverse path check fail, drop””

    When researching that message it comes back to the Fortigate “anti-spoofing” being activated for whatever reason. So we shut off the primary 300C and promoted the secondary to primary. When we did that the issue goes away…….

    Are their any considerations for HA sync under heavy loads and what can be done to keep the “anti-spoofing” from being activate during those times?

  • Jordan L

    do both Fortigates need the same level of Fortiguard? I would like our primary unit to have Full IPS definitions, I don’t care if we fail over and the backup unit has out of date definitions. We are trying to implement Active-Passive failover at the lowest cost. I think the answer is they SHOULD have the same Fortiguard package, but my question is: will HA work with the primary having full fortiguard and the backup having zero fortiguard.

    • bdickie

      I haven’t testing this specifically, but it should work just fine. Its possible you may see some out of sync messages but the cluster will still operate no problem. You would need to enable override to make sure the fully licensed FortiGate continues to operate as the primary.

      • Jordan L

        awesome, thanks. where is the Override setting that you mentioned?

        • bdickie

          The Override setting is used and described briefly in the “expert” HA recipe. (Its not all the expert really, just requires using the CLI to enable override). http://cookbook.fortinet.com/high-availability-with-fgcp/

          • bdickie

            I have since learned that the FortiGates in the cluster all have to have the same level of FortiGuard licensing. Otherwise, both FortiGates will revert to the lowest level of FortiGuard licensing. So in this example the cluster will operate but with no FortiGuard.

  • Ibrahim Lubis


    Your firewall is in HA mode, but a single switch is the point of failure. My question is how connect/configure two firewall(HA) to two switch/coreswitch ? I can do it with stacking/chassis technology to make two physical switch look like 1 switch, but stacking/technology is a single control plane which mean if i upgrade the switch i must reboot the two switch, theres is another technology M-LAG/MC-LAG, it provide active-active link it survive upgrade because its seperate control plane but the switch is not a ‘single logical switch’. Whats your advice about firewall ha to two switch ?


  • Haytham Gaber

    We have two FG-200D in HA. we currently have dual ISP. In this case we should use one switch connecting the two lines or I have to use two separate switches ?

    • bdickie

      Two separate switches is recommended for redundancy. But yes in most cases you can use one switch.

      • Haytham Gaber

        Thanks for your valued support.
        Everything is working properly when I connect one ISP but when connecting the second line all users can not access internet , what is the problem do you think ?

  • JDC66548

    I’m setting up the HA. We currently have dual ISP since our primary is not reliable. How would I configure the redundant ISP connection in a HA environment?

    • bdickie

      There are no special requirements for HA with redundant ISP connections.You need to connect both FortiGates in the cluster to each ISP using switches as shown in the diagram above for one ISP. Otherwise the steps described in this recipe should work.

  • Vimanyu Kaushik

    Why are we using two interfaces for the HA? Can we use one also or the second is for redundancy. Please clear my confusion.

    • bdickie

      Yes the second is for redundancy. All heartbeat traffic just uses one HA interface.

      • Vimanyu Kaushik

        Thanks for clearing my confusion. I appreciate your support.

  • Erik

    I my company we have 2 fortigates for redundancy both located in another room. They have all their 5 connections (WAN, HA1, HA2, Port1, Port2) connected to just 1 switch. Fortinet 1 > everything on switch1, Fortigate 2 > everything on switch2. I am not a network technician but with respect to redundancy this doesn’t sound logic to me. For me it would be more logic to spread the 5 connection of several switches so that in case ie. switch1 goes down you wouldn’t completely loose this fortigate 1. Can anyone advise? 🙂

    • bdickie

      I can provide a general answer, for more detailed recommendations for your network conditions you can contact Fortinet Support (http://cookbook.fortinet.com/how-to-work-with-fortinet-support/).

      In fact you should be using three switches:
      – One switch connecting both WAN interfaces together and connecting the WAN interfaces to your WAN (or Internet).
      – A second switch connecting both Port1 interfaces together and to a network.
      – A third switch connecting both Port2 interfaces together and to a network.

      You can connect the HA1 – HA1 and HA2 – HA2 interfaces directly using normal Ethernet cables. You don’t need switches for these connections.

  • vrajkumar

    Hi All

    We have Fortinet Firewall 3815 series running in HA on active-active mode. We have connected each firewall to our HP core switch running in VRF mode. It is not criss cross. We connected like Firewall1 to Switch1 and FW2 to Sw2. Firewalls are interconnected, Switches are interconnected etc. But We cannot see the second firewalls link being used for sending traffic to LAN. Is it an expected behaviour? Even the firewalls are active active only one link from the master to switch will be used to send traffic?

  • Jamesbondjr007x

    Hello All,

    What I would like to see is how the HA would be done with failover to another Fortigate(which was shown above) but with internet failover for two providers using the Firewalls. I would have used a router to do this but someone said the Firewalls could do this task as well?

    • bdickie

      The redundant Internet Connections recipe (http://cookbook.fortinet.com/redundant-internet-connections-54/) is compatible with FortiOS HA. Once the cluster is up and running you can configure it like a single FortiGate. The wiring would be a bit more complex because you would have to duplicate the wan1 and wan2 connections to each FortiGate.

  • Thiago Savoia Morales

    HI Everyone!
    Can anyone tell me if I can do HA with two different FortiGate?

    Primary Fortigate 311B
    Backup Fortigate 200B

    • bdickie

      Standard FortiOS HA (FGCP) requires that both FortiGates must be the same model; so no this configuration will not work. FortiOS supports both FGSP and VRRP and these protocols allow HA between different FortiGate models. These modes are more difficult to configure and may require external routers or load balancers and are not supported by older versions of FortiOS. See http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_introduction.htm

      • Thiago Savoia Morales

        Thank you BDICKIE!

  • Toshi Esumi

    In the description of heartbeat interface setting, there is a footnote saying “make sure that none of interfaces are in DHCP or PPPoE”. Is this NOT only for heartbeat interfaces but throughout the unit for all interfaces?

    • bdickie

      Yes, this note is meant to apply to all interfaces.

      • Toshi Esumi

        Is this because MAC addresses on interfaces are different between Primary and Secondary, and the secondary wouldn’t be able to take over the master for the interfaces? Or something else?

        • bdickie

          See this page in the online help, and let us know if this doesn’t answer your question: http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_FGCP_dhcp.htm

          • Toshi Esumi

            The sentences are not as clear as I can understand the exact conditions. So are they saying “An FG can have both DHCP/PPPoE interface(s) and a-p mode HA, but you have to disable (set status down?) the interface(s) when you configure a-p HA”? Or even “status down” is not enough and the interface(s) has to be configured after HA is turned on (likely configuring it only on the active unit and let HA copying the config to the passive one)?

          • bdickie

            The section in the manual attempts to cover a number of DHCP/PPPoE-related issues. We will work on re-writing it. The basic idea is we recommend configuring the FortiGates with static IP addresses before adding them to a cluster. Once you have created the cluster, then you can configure the cluster interfaces as DHCP/PPPoE clients. You aren’t required to do this, it just makes things run smoother if you are setting up a new cluster and may make it easier to reconnect to cluster interfaces after the cluster is formed because you won’t have to wait for the cluster to get new IP addresses from the DHCP/PPPoE server and because you may not know the IP address of the DHCP/PPPoE client interfaces after the cluster forms.

            You can configure your FortiGates as DHCP servers or for DHCP relay before configuring the cluster. The paragraph about DHCP servers in this section attempts to describe how the pre-configured FortiGate DHCP servers behave after the cluster forms.

  • Sergey Babkevych

    Hi ,
    Amazing article!
    I have a little question regarding HA.
    If i got 2 units that configured active-passive but i did not configured one of the port to the second F2 forti unit – is this may cause instability of the device ?


  • AnThraXau

    Probably a silly question, but can i have my HA interfaces on a VLAN? or should i just make those VLAN interfaces untaged on the switch?

    • bdickie

      Yes I think you should untag the interfaces on the switch. There is no way that I am aware of on a FortiGate to add VLAN tags to heartbeat packets. For example, you can’t make VLAN interfaces HA heartbeat interfaces.

  • Deeso Saeed

    The cookbook says a switch is needed at the internet end. Does that mean that connecting the FG cluster members to the same router is not a valid configuration, even if the same router ip (same VLAN) is reachable in either port? In our case we are about to connect two FG90D units directly to a cisco 800 series router provided by our ISP

    • bdickie

      I have not tested this configuration and you might want to check with support or test it yourself. Switches are used so that when the primary unit fails, packets will be sent to the new primary unit with minimal network interruption. When a failover happens the new primary unit sends gratuitous ARP packets that remap the IP address of the cluster to the new primary unit. As long as the router can respond to the gratuitous ARP packets this configuration should work. You could also test it by setting up the cluster and sending traffic through it. Then turn off the primary unit’s power and see if traffic resumes.

  • shivunrp1

    What is command to check failover history in fortigate firewall ?

    • bdickie

      You can review HA log messages to see the failover history. There is no command that I am aware of to do this. You can find HA log messages under Log&Report on the GUI. FortiGates don’t record failover log messages specifically but they do record log messages when a FortiGate unit in a cluster detects that the other unit has failed “Virtual cluster member dead”. Other messages also appear as the operating FortiGate changes its role in the cluster “Virtual cluster member state moved” and so on.

  • Tal Amir

    as far as policy rules, how does that work ? will the rules from the primary unit automatically be synced to the backup unit ? does that continue to happen later on when we make policy changes?

    • bdickie

      Yes, whenever any configuration change (including a policy rule change) is made to a cluster unit that change is automatically synchronized to all of the other units in the cluster. This configuration synchronization occurs over the HA heartbeat link and it happens as quickly as possible.

  • Albert Sánchez Miñano

    Hi Victoria,

    Can you please explain me if is possible distribute the Fortinet Modules (App -Control, WebFilter , Antivirus, etc) in different clusters. We currently have a Master with a load of 90 % and 3 slaves with an average load of 20 %.

    • bdickie

      For best results I would recommend contacting support (see http://cookbook.fortinet.com/how-to-work-with-fortinet-support/). In general though, you can’t assign different functions to different units in the cluster. But, active-active HA is designed to distribute security profile processing more evenly among the cluster units. So you could try active-active HA if you are not currently running in that mode. Other variations might also work depending on your configuration and requirements. The support team should be able to help with this.

      • Albert Sánchez Miñano

        Thanks you very much!

        I have already contacted the team of Fortinet. Currently, the HA is as active-active and consumption CPU Master is 90 % compared to the Slaves (25-30%)

  • Safiulla Khan

    Hi , do we have any Video how IPSec Tunnel works in Fortigate ?

  • Safiulla Khan

    Hi pre-shared key used in fortigate phase 1 VPN Tunnel is Symmetric or Asymmetric ?

    • Victoria Martin

      Hi Safiulla, the pre-shared key is symmetric.

  • Gustavo Chung Sang

    I have reviewed the FortiOS Handbook HA and I am looking to implement a full mesh HA configuration but the requirements are two switches in the internal network with Interswitch-link between them. ISL is an old protocol that is not supported by the current switches I have. Do you know if the full mesh HA configuration could be setup using Dot1q instead, if this is possible, would you mind to post some documentation.
    Thank you

    • bdickie

      It seems very likely that Dot1q is supported but we will investigate and post an update here (and correct the HA Guide) as soon as we get a definitive answer.

  • mradarit


    I wanted to know if there are any requirements for the switch(s) between the internet and the fortigates. Any specific model recommendations? Basic dumb 4-8 port gigabit switches or something more “smarter”?


    • bdickie

      Basic dumb switches will do just fine. In fact smarter switches may require some additional configuration because of the unusual ethertypes used by the HA heartbeat packets. (See the HA Handbook PDF for information about these “Heartbeat Packet Ethertypes”).

  • Malcoln Dandaro


    Does it works if each fortigates is in a separate building? i mean, i won’t be able to connect them directly with a Ethernet cable, does it work over the network? like Fortigate1 HA port -> Switch < port – Fortigate2 HA?


  • Olivier


    This looks similar to VRRP.
    If both my FG devices are working normally, will all of the traffic go through the master device only? Is it possible to share the load between the devices like in VRRP-extended? (brocade proprietary protocol as far as I know)

    • bdickie

      Yes, if both of the FortiGates are working normally, in an active-passive setup all traffic goes through the primary (or master) device only. You can change to active-active mode from the GUI at any time to share the load between the devices. Active-active HA does not necessarily improve performance but it can be used to distribute security profile traffic (for example virus scanning, web filtering, etc.) to both devices; which could lead to a performance increase.

      FortiGates do also actually support VRRP. See the HA Guide for more information about active-active mode and the FortiOS implementation of VRRP. http://docs.fortinet.com/d/fortigate-high-availability-1

  • John

    Where can I find info about HA with more than 2 devices? For example, recommended configuration, etc.

    • Victoria Martin

      Hi John,

      We don’t have any Cookbook recipes featuring HA with more than 2 devices at the moment, though I will add it to our to-do list. There is, however, a handbook chapter for FortiOS devoted to High Availability, which you can find at http://docs.fortinet.com/uploaded/files/2177/fortigate-ha-524.pdf.

      I hope that helps!

      • John

        I’ve already read that cookbook. Anyhow I still have doubts. For example, how should the heartbeat be configured? (I’m thinking a dedicated switch) Is Full Mesh recommended? etc

        • bdickie

          Hello John,

          As far as I am aware there are no special requirements for HA with more than two devices. Here are a few recommendations though:
          – The matching heartbeat interfaces of all 3 (or more) cluster units must be able to communicate with each other. So each device’s matching heartbeat interface should be connected to the same switch.
          – Redundant heartbeat interfaces are recommended. You can reduce the number of points of failure by connecting each matching set of heartbeat interfaces to a different switch, but this is not a requirement.
          – A dedicated switch for each heartbeat interface is recommended because of the large volume of heartbeat traffic, but not required.
          – Full mesh can scale to more than two FortiGate units, but it is not required or particularly recommended (or not) if you have more than 3 devices in a cluster.

          If you have more questions I would be interested in knowing something about your requirements. It seems somewhat rare to set up a cluster of more than three units so it would be interesting to know why you want to do this to help us create a scenario we can document.

          I will also add these notes to a future version of the HA Guide.

  • Julian

    Victoria, I have 2 separate questions on a HA active-active setup, if you know please explain:

    1. How the HA active-active works when i have site to site VPN and the primary firewall goes down? Or how the other side is going to negotiate a site to site VPN with my HA active active cluster?

    2. If have a HA active active solution and lets just say over a period of 2 years the number of users doubles so the traffic doubles, on the internal side of the firewalls, when any of the firewalls is going to fail how the remaining one is going to be able to keep up with the traffic? and what is the solution from preventing overwhelming the remaining firewall?

    • bdickie

      I will try and answer your questions. Let me know if you need more info.

      1. HA synchronizes IPsec security associations (SAs) between cluster members so that if a failover occurs, the backup can resume IPsec sessions without having to establish new SAs.
      The following section of the FortiOS handbook contains more details (I hope the link works.) http://help.fortinet.com/fos50hlp/52data/index.htm#FortiOS/fortigate-high-availability-52/HA_failover.htm#Synchron2

      2. Active-active HA does not provide double the performance of a single FortiGate. The main idea of active-active HA is to distribute proxy-based security profile processing to all cluster units. Proxy-based security profile processing is CPU and memory-intensive, so active-active HA may help increase performance depending on the traffic you process.

      In the scenario you describe it seems likely to me that the active-active cluster would start having performance problems even before a failure. After a failure the remaining FortiGate could become overwhelmed. FortiOS can attempt to deal with high traffic loads by entering conserve mode to save memory. In general in this scenario I think the solution would be to upgrade your hardware or find ways to reduce the processing load on the cluster. I am not really qualified to talk about performance issues though. Perhaps Support or our Sales team could better answer this question.

  • Manfred

    This cookbook ist just nothin worth. Keep in mind that in real world, the most time a Cluster when creating or updating makes nothing than Troubles.
    Here should Fortigate make a real Firewall, with a Chance of no Default config, instead of crap Switch Interfaces or Default rules.

  • Angel Maza

    I have two FGT-60C, I can it be HA?

    • Victoria Martin

      Hi Angel,

      If you look at the Feature/Platform Matrix (http://docs.fortinet.com/uploaded/files/2342/fortios-feature-platform-matrix-523.pdf ), you can see which models support HA. According to the chart, you should be able to set up HA with two FortiGate 60Cs.

    • Is it possbiel to have HA cluster between Fortigate 200B and 200D?

      • bdickie

        Because of the way HA synchronizes the configuration the hardware of the FortiGates in the cluster must be identical. The 200B and 200D have different hardware and different configurations. In general the complete model numbers must be the same including the letters at the end.

  • Thiago Prado

    Is it possbiel to have HA cluster between Fortigate 200B and 200D?

    • bdickie

      Unfortunately not. The hardware model numbers, including the letter at the end, must be the same.

  • bdickie

    First, an apology for taking so long to reply to your comment. Somehow we missed it 🙁

    Second, the HA Guide has some basic information about HA, L3 switches, and LACP but does not include a detailed example or a cookbook recipe. But we will add this recipe to our to do list.

    Here is a link to the HA Guide for FortiOS 5.2, open the PDF and search for LACP.


  • TenZ

    This is if FortiGate Cluster connected directly to single L2 Switches, do you have any reference if FortiGate Clusters Connected directly to Mesh L3 Switches on large environment where FortiGate Clusters will be installed in the middle between Active-Active Core L3 Switches and Active-Active DataCenter L3 Switches. Both Core and Data Center Switch is Using LACP.

  • GreeTz

    The first picture shows Internal Network connected to WAN and Internet connected to Internal zones :S

    • Victoria Martin

      The labels in the diagram have been corrected, thanks for pointing this out.

      • Nilton Teixeira

        hi Victoria,

        I have a client with two FortiGate-100D appliances in the cluster, made contact to request a proposal for licensing high availability UTM.
        Please please help me with the BoM.

        • bdickie

          There are no special high availability UTM licenses, you just need to license each individual FortiGate appliance for UTM. Customer support should be able to provide you with any additional information. See http://cookbook.fortinet.com/how-to-work-with-fortinet-support/ for details about contacting them.

          • OPEXA

            Can you create an HA pair between Fortigate 300C and 300D?

          • bdickie

            Both the model number and letter must match (in fact the hardware must be identical). So it is not possible to create an HA cluster between a FortiGate 300C and 300D.

          • Syed

            How about HA with two firewalls and two ISPJoin the discussion

          • Syed

            Also What kind of switches you will recommend managed or un Managed? Can we use only one switch after ISP’s Routers ?

          • Bill Dickie

            Yes you can configure HA with two FortiGates and two ISPs. This would only require adding another network connection to the cluster. For example, if your FortiGates have WAN2 interfaces you would connect them in the same way as the WAN1 interface as described in the recipe.

            There are no HA-specific reasons to recommend managed or un-managed switches that I am aware of. This section has some information about managed switches and HA (http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-managing-fortiswitch-330-54/HAconfig.htm) and we have plans for a managed switch and FortiAPs with HA recipe. Looks like we should also include dual ISPs in that recipe.

            You can use one switch after your IPS’s routers as long as each ISP’s traffic is separated on the switch.

    • I have a client with two FortiGate-100D appliances in the cluster, made contact to request a proposal for licensing high availability UTM.
      please help us!