FortiGate High Availability (HA) Configuration Guide
FortiGate HA (high availability) runs two or more devices as a cluster so service continues uninterrupted when a single device fails. The FGCP protocol synchronizes configuration and sessions; on failure the standby device takes over.
What Is HA and What Modes Exist?
HA (High Availability) is a clustering approach that runs multiple FortiGates as one logical firewall; there are two main modes: active-passive (failover) and active-active (load sharing).
In active-passive mode one device is primary and processes traffic while the other waits as secondary in sync. When the primary fails, the secondary takes over within seconds. This mode is the most common choice for its predictability and simplicity.
In active-active mode, the cluster members distribute particularly the UTM scanning load to increase throughput. Traffic management is more complex and may not fit every scenario.
Before building HA, both devices must have completed base setup; see our FortiGate installation and initial configuration guide.
FGCP Clustering and Synchronization
FGCP (FortiGate Clustering Protocol) synchronizes configuration and the session table between cluster members, elects the primary device, and monitors health via heartbeat.
When forming a cluster, FGCP determines the primary device based on priority, serial number, and override settings. Configuration changes are automatically copied to the other member, so both devices carry the same rules.
If session synchronization is enabled, existing sessions are preserved during failover and users continue without dropping. Heartbeat interfaces let members continuously check each other's liveness; at least two heartbeat links are recommended.
| Component | Function |
|---|---|
| Heartbeat interface | Liveness and sync channel between members |
| Priority | Primary-device election priority |
| Session sync | Preserving sessions during failover |
| Override | Forcing the preferred device to stay primary |
Building the HA Cluster
HA setup is done by bringing two identical devices to the same firmware, setting the HA mode and group name, defining heartbeat interfaces, and physically connecting the devices.
Ensure both devices are the same model and the same FortiOS version. Under System > HA, choose the mode (active-passive), set a group name and group password, and configure heartbeat interfaces and priority.
Connect the heartbeat interfaces directly (or through a dedicated switch). When the configuration is saved, FGCP automatically merges the devices into a cluster and starts synchronization.
- Bring both devices to the same firmware version.
- Set HA mode, group name, and password.
- Define at least two heartbeat interfaces.
- Set priority and, if needed, override values.
- Verify synchronization and cluster status.
Failover, Monitoring, and Link Monitoring
Failover is the takeover by the standby device when the primary or a monitored link fails; with link monitoring, the state of critical interfaces is also used as a failover trigger.
Not only device failure but also the loss of a monitored WAN/LAN link can trigger failover. Define monitored interfaces (link monitoring) so the cluster fails over to the healthy member when a critical uplink drops.
Verify failover time and behavior in a test environment. With override enabled, the preferred device becomes primary again once repaired; use this when deliberate preempt behavior is required, but it can also cause unnecessary failovers.
To assess failover tests and performance impact, see our performance optimization and best-practices guide.
Best Practices in HA
Best practices are to use identical hardware/firmware, build redundant heartbeat links, test failover scenarios, and continuously monitor cluster status.
Always keep cluster members on the same model and firmware version; mismatches cause synchronization errors. Use at least two heartbeat links to avoid a single point of failure.
To centrally monitor cluster health and failover events, see our logging and monitoring with FortiAnalyzer article, and for overall architecture our what is FortiGate guide.
Frequently Asked Questions
What is the difference between active-passive and active-active?
In active-passive, one device processes traffic and the other waits as standby, taking over on failure. In active-active, the scanning load is distributed across members for higher throughput, but management is more complex.
Must the two devices be identical for HA?
Yes. For a healthy FGCP cluster the devices must be the same model, same firmware version, and have compatible licenses. Differences cause synchronization and failover problems.
What is a heartbeat interface?
Heartbeat is a dedicated link over which cluster members monitor each other's liveness and carry configuration/session synchronization. At least two heartbeats are recommended to avoid a single point of failure.
Are sessions dropped during failover?
With session synchronization enabled, existing sessions are largely preserved and users often do not notice the interruption. If synchronization is off, sessions may need to be re-established.
What does link monitoring do?
If a monitored critical interface (e.g., a WAN uplink) drops, link monitoring triggers a failover to the healthy member, protecting against link failures, not just device failures.
Should I use override?
Override forces the preferred device to become primary again once repaired. It is useful when a specific device must remain primary, but it can cause unnecessary failovers and should be used carefully.
Conclusion
FortiGate HA keeps critical network-security services running even when a single device fails. With identical hardware, redundant heartbeats, session synchronization, and tested failover scenarios, the cluster delivers genuine resilience.
To design your high-availability architecture and run failover tests, talk to the Sora Yazılım network team.