Trusted Network Engineering & Security tutorials, when you need them most.

Beginner’s Guide to Network Engineering

10+

Network & Network Security Experience

1000+

Network & Network Security Tutorials

FortiGate High Availability (HA) Setup and Configuration Guide

Configuring FortiGate High Availability (HA) ensures network redundancy, improves performance, and minimizes downtime. This guide walks you through the step-by-step process of setting up HA on FortiGate firewalls using both the GUI and CLI.

Introduction to FortiGate HA

High Availability (HA) in FortiGate ensures redundancy and fault tolerance by clustering two or more FortiGate devices into a single logical unit. If one device fails, the other takes over seamlessly, minimizing downtime and maintaining security policies.

Prerequisites

Before setting up HA, ensure you have:

Two identical FortiGate devices with the same firmware version
A network topology plan for HA deployment
At least one dedicated HA heartbeat link between devices
Matching interface configurations on both devices

HA Modes and Deployment Options

FortiGate HA supports the following modes:

Active-Passive (A-P): One firewall is active while the other remains on standby.
Active-Active (A-A): Both firewalls process traffic for load balancing.

Deployment options include:

Standalone HA: Two FortiGate devices in a single cluster.
Multi-cluster HA: Multiple clusters for larger networks.

Configuring HA Using GUI

Step 1: Access the Primary FortiGate

Connect to the primary FortiGate via web GUI (https://<IP Address>).
Log in with admin credentials.

Step 2: Enable HA and Set the Primary Device

Navigate to System > HA.
Set the Mode to Active-Passive or Active-Active.
Configure the following:
- Group Name: Example_HA_Group
- Password: Secure HA password
- Heartbeat Interfaces: Select at least one interface for heartbeat communication.
- Priority: Set higher priority for the primary device.
Click Apply.

Step 3: Configure the Secondary FortiGate

Repeat Step 1 on the secondary device.
Use the same Group Name and Password.
Set a lower Priority than the primary.
Click Apply.

Step 4: Verify HA Status

Navigate to System > HA on the primary device.
Check if both devices are listed with appropriate roles.
Use the System > Dashboard > HA Status for monitoring.

Configuring HA Using CLI

Step 1: Configure HA on the Primary Device

config system ha
    set group-name Example_HA_Group
    set password <secure_password>
    set mode a-p
    set priority 200
    set hbdev port3 50
end

Step 2: Configure HA on the Secondary Device

config system ha
    set group-name Example_HA_Group
    set password <secure_password>
    set mode a-p
    set priority 100
    set hbdev port3 50
end

Step 3: Verify HA Status

get system ha status

Troubleshooting Common HA Issues

Cluster not forming: Verify identical firmware versions and configurations.
Heartbeat link issues: Ensure the correct interfaces are used.
Failover not working: Check priority settings and HA logs.

Best Practices for HA Deployment

Use at least two heartbeat interfaces for redundancy.
Ensure identical configurations on both devices.
Regularly test failover scenarios.
Monitor HA logs for potential issues.

Conclusion

Setting up FortiGate HA enhances network reliability and security by ensuring seamless failover and load balancing. By following this guide, you can deploy HA effectively and maintain a resilient firewall infrastructure.

Disclosure: My content is reader-supported. This means if you click on some of my links, then i may earn a commission. See how my blog is funded, why it matters, and how you can support me. Here’s my editorial process.