Listen to this Post

Introduction:
High Availability (HA) is the backbone of resilient network infrastructure, ensuring that a firewall failure doesn’t cripple your entire organization. In an Active-Passive FortiGate HA setup, one unit actively processes traffic while a secondary unit remains on standby, synchronizing state information via a dedicated heartbeat link. This configuration eliminates a single point of failure and provides automatic failover with minimal to zero downtime, making it critical for enterprises, data centers, and service providers.
Learning Objectives:
- Understand the core mechanics of FortiGate Active-Passive HA, including floating IPs, virtual MAC addresses, and heartbeat synchronization.
- Configure and verify an Active-Passive HA cluster using both FortiOS CLI and web-based management.
- Perform failover testing, troubleshoot common HA issues, and implement advanced options like preempt mode and session synchronization.
You Should Know:
1. Understanding Active-Passive HA Architecture and Its Advantages
Active-Passive HA is the most straightforward redundancy model: one firewall (the active) handles all traffic, while the passive unit monitors the active’s health via a heartbeat link. The two devices share a virtual IP and virtual MAC that float between them upon failover. This ensures that downstream switches and upstream routers see no change in next-hop or ARP entries.
Step‑by‑step guide to understanding the architecture:
- Floating IP & Virtual MAC: Both firewalls are configured with the same “management IP” and “gateway IP” (floating). The active unit owns this IP/MAC pair. On failover, the passive unit takes over the same floating IP and sends gratuitous ARP updates to network neighbors.
- Heartbeat Link (HA1): A dedicated physical interface (or VLAN) that carries heartbeat packets, configuration synchronization, and session state information. Use a separate switch or direct cable to avoid split-brain scenarios.
- Failover Triggers: Link failure on any monitored interface, device reboot, or administrative manual failover. The passive unit detects missing heartbeats and assumes active role.
- Session Pickup: With session synchronization enabled, TCP/UDP sessions continue seamlessly after failover because the passive unit already holds the session table.
This architecture is ideal for environments requiring high reliability without complex load-balancing logic. Compared to Active-Active, Active-Passive is simpler to troubleshoot and ensures predictable performance.
2. Configuring FortiGate Active-Passive HA via CLI
To deploy an HA cluster, both units must be identical in hardware, firmware version, and initial configuration. The following commands are executed on the primary unit; the secondary joins automatically.
Step‑by‑step guide for configuration:
- Set the HA mode and group ID (same on both units):
config system ha set group-id 1 set group-name "HA-Cluster" set mode a-p set password "StrongHApassword123" set hbdev "port1" 50 set session-pickup enable set override disable end
– `hbdev` specifies the heartbeat interface and its priority.
– `session-pickup enable` synchronizes session table. -
Assign the floating IP (used for management and gateway):
config system interface edit "port2" set vdom "root" set ip 192.168.1.1 255.255.255.0 set allowaccess ping https ssh set type physical set role lan next end
This IP is automatically shared; do not configure a separate management IP on the passive unit.
-
Configure monitored interfaces (if link goes down on active, failover occurs):
config system ha set monitor "port2" "port3" end
-
On the secondary unit, reset its config to factory defaults, then set the same HA parameters (except
override). It will automatically sync configuration from the primary after detecting the heartbeat.
Windows / Linux verification commands after HA is up:
– On Linux: `arp -a | grep -i “virtual-mac”` to confirm MAC address is active.
– On Windows: `arp -a | findstr /i “virtual-mac”` or use `ping 192.168.1.1` and check arp -a.
3. Monitoring HA Status and Heartbeat Integrity
Regular monitoring prevents surprise split-brain or degraded clusters. Use the following CLI commands and system logs to assess HA health.
Step‑by‑step guide for monitoring:
- Check HA status from CLI on either unit:
get system ha status
Output shows role (active/passive), group ID, and last heartbeat received time. Also lists synchronized sessions and configuration checksum.
2. View HA statistics including heartbeat packet loss:
diagnose sys ha stat
Look for “heartbeat lost” counters; any non-zero indicates network issues on the HA link.
- Monitor real-time HA events via the log buffer:
execute log filter category 1 execute log display
Or use `diagnose sys ha state` for a concise summary of state changes.
-
Set up SNMP traps for HA failover events:
config system snmp community edit 1 set events ha-failover set hosts 192.168.100.50 next end
-
Linux command to test heartbeat path latency (run from a management host on same VLAN):
ping -c 10 -s 1400 <heartbeat-interface-ip-active> ping -c 10 -s 1400 <heartbeat-interface-ip-passive>
Latency >1ms or any loss can cause false failovers.
4. Testing Failover and Floating IP Behavior
You must validate that failover works without manual intervention. Simulate real failure scenarios and observe network continuity.
Step‑by‑step guide for failover testing:
- Identify the active unit using
get system ha status. Note its hostname or serial. -
Initiate a manual failover from the active unit to the passive:
execute ha failover set
This forces the active to yield. Watch console or logs: the passive should become active within 3-5 seconds.
-
Test link failure – disconnect a monitored interface (e.g., `port2` on the active unit). The passive should take over. Reconnect and verify that the original unit returns as passive (unless `override` is enabled).
-
Validate network convergence – from a Windows/Linux client behind the firewall, continuously ping the internal gateway (floating IP):
– Linux: `ping -i 0.2 192.168.1.1 | ts`
– Windows: `ping 192.168.1.1 -t`
You should see a short pause of 3-5 seconds but no “Request timed out” beyond that.
- Check ARP table update on a connected router/switch:
– Linux: `arp -a` – notice the virtual MAC remains the same after failover.
– Windows: `netsh interface ipv4 show neighbors`
6. Restore the original active unit – if `override` is disabled, the previously active unit stays passive; if enabled, it reclaims active role after a configured delay.
- Troubleshooting Common HA Issues (Split-Brain, Sync Failure, Mismatch)
Split-brain occurs when both units become active due to heartbeat loss. Configuration mismatches prevent session pickup. Here’s how to resolve.
Step‑by‑step guide for troubleshooting:
- Detect split-brain – both units show role=active in
get system ha status. Immediately disconnect one unit’s data interfaces, then fix the heartbeat link.
2. Recover from split-brain:
- Manually power off one unit.
- Verify heartbeat cable/switch integrity.
- Reboot the powered-off unit – it will enter passive mode after seeing an active peer.
- Fix configuration mismatch – HA will show “checksum mismatch” in logs. Compare configs:
execute ha synchronize status diagnose sys ha checksum cluster
To force resync, on the passive unit run:
execute ha synchronize start
- Session pickup not working – ensure `set session-pickup enable` and that session table size is synchronized. Check with:
diagnose sys ha session list | wc -l
Compare both units (must match). If not, restart HA daemon safely: `diagnose sys ha reboot-hal`
- Heartbeat failure due to VLAN tags – if heartbeat passes through a trunk, ensure native VLAN is not used. Configure explicit VLAN interface for HA.
-
Windows command to test connectivity to both units’ heartbeat IPs (if management IPs are separate):
ping <active-heartbeat-ip> -n 10 ping <passive-heartbeat-ip> -n 10
Loss >5% indicates physical issues.
- Best Practices for HA Hardening, Integration, and Cloud/API Security
Extend HA robustness by securing the heartbeat link, automating failover alerts, and integrating with cloud APIs for dynamic routing updates.
Step‑by‑step guide for hardening:
- Isolate the heartbeat VLAN – use a dedicated switch or direct crossover cable, and apply an ACL to allow only FortiGate HA traffic. Example ACL on Cisco switch:
access-list 100 permit udp any any eq 10000 access-list 100 permit tcp any any eq 703 704
Block all other traffic on that VLAN.
- Encrypt HA synchronization – use `set encryption enable` and a strong passphrase in
config system ha. This secures session data. -
Automate failover notifications – use FortiGate’s automation stitches:
config system automation-action edit "HA-Failover-Webhook" set action-type webhook set webhook-url "https://your-monitoring/api/alert" next end config system automation-trigger edit "HA-Failover" set event-type ha-failover next end config system automation-stitch edit "Notify-On-Failover" set trigger "HA-Failover" set action "HA-Failover-Webhook" next end
-
Cloud hardening (AWS/Azure) with HA – when deploying FortiGate HA in the cloud, use route table manipulation APIs to update next-hop on failover. Example AWS CLI command to update routes:
aws ec2 replace-route --route-table-id rtb-12345 --destination-cidr-block 0.0.0.0/0 --instance-id i-passive-firewall
Automate this with a Lambda function triggered by FortiGate’s webhook.
-
API security – restrict HA management APIs to specific IPs using `config system admin` and enable HTTPS strict transport security:
config system global set admin-https-redirect enable set admin-https-ssl-version tls1.2 end
-
Advanced: Preempt Mode, Virtual Clustering, and Session Synchronization Tuning
For environments that require the primary unit to regain active role after recovery, or split traffic by VDOM, use these advanced HA features.
Step‑by‑step guide for advanced configuration:
- Enable Preempt Mode – The primary unit reclaims active role after it recovers (e.g., after a reboot):
config system ha set override enable set priority 200 (higher priority on the preferred primary) end
Warning: Preempt can cause double failover; use only when necessary.
-
Configure Virtual Clustering – This splits HA by VDOM, useful for multi-tenant environments. Example with two VDOMs (root and vdom2):
config system ha set vcluster-id 1 set vcluster-role master end
Then assign VDOMs to different clusters to balance load.
-
Tune session synchronization for high throughput – Adjust sync interval and buffer:
config system ha set sync-packet-limit 2000 set ha-uptime-diff-threshold 60 set uninterruptible-upgrade enable end
4. Verify session sync performance:
diagnose sys ha show session-stats
Look for “sync queue length” – if >500, increase sync-packet-limit.
- Linux command to stress test failover – simulate load using `hping3` to generate sessions, then force failover:
hping3 -S -p 80 --flood --rand-source 192.168.1.1 In another terminal, failover and check for session drops
What Undercode Say:
- Key Takeaway 1: Active-Passive HA is not just about redundancy—it’s about maintaining stateful session continuity. Without proper session synchronization, failover will drop active connections, which defeats the purpose.
- Key Takeaway 2: The heartbeat link is the most overlooked yet critical component. A misconfigured or congested heartbeat VLAN is the leading cause of split-brain and unnecessary failovers in production networks.
Analysis: FortiGate’s HA implementation offers enterprise-grade resilience, but engineers often rely solely on the GUI, missing advanced tuning options like encryption, preempt mode, and API-driven cloud integration. As networks move toward zero-trust and edge computing, HA clusters must also support rapid failover for SD-WAN and SASE deployments. The CLI commands provided above give you granular control over failure detection timers and session synchronization buffers. Remember: Testing failover should be a monthly ritual, not an afterthought. Document your HA state with `diagnose sys ha checksum` before and after any configuration change. Finally, consider using dedicated 10G interfaces for heartbeat to avoid latency spikes from data plane traffic.
Prediction:
With the rise of AI-driven network operations and self-healing infrastructures, FortiGate HA will evolve beyond simple active-passive models to predictive failover—where machine learning models analyze interface error rates and proactively pre-stage the passive unit before a hard failure occurs. In the next 18 months, expect Fortinet to integrate telemetry from FortiAnalyzer into HA decision engines, enabling “smart” failover that avoids unnecessary flapping during transient blips. Additionally, as multi-cloud networking becomes dominant, FortiGate HA clusters will natively synchronize state across cloud regions using encrypted overlay tunnels, making geographic redundancy seamless. Network engineers who master today’s CLI-based HA will be well-prepared to programmatically control these future self-healing fabrics via APIs and Infrastructure-as-Code tools like Terraform.
▶️ Related Video (88% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Sayed Hamza – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


