system : ha
 
ha
Use this command to enable and configure FortiGate high availability (HA) and virtual clustering.
In HA mode, most settings are automatically synchronized among cluster units. The following settings are not synchronized:
override
priority (including the secondary-vcluster priority)
ha‑mgmt‑interface-gateway
ha‑mgmt‑interface-gateway6
cpu-threshold, memory-threshold, http-proxy-threshold, ftp‑proxy‑threshold, imap-proxy-threshold, nntp-proxy-threshold, pop3‑proxy-threshold, smtp-proxy-threshold
The ha-priority setting of the config system link-monitor command
The config system interface settings of the FortiGate interface that becomes an HA reserved management interface
The config system global hostname setting
Syntax
config system ha
set arps <arp_integer>
set arps-interval <interval_integer>
set authentication {enable | disable}
set cpu-threshold <weight_int> <low_int> <high_int>
set encryption {enable | disable}
set ftp-proxy-threshold <weight_int> <low_int> <high_int>
set gratuitous-arps {enable | disable}
set group-id <id_integer>
set group-name <name_str>
set ha-direct {enable | disable}
set ha-eth-type <type_int>
set ha-mgmt-status {enable | disable}
set ha-mgmt-interface <interface_name>
set ha-mgmt-interface-gateway <gateway_IP>
set ha-mgmt-interface-gateway6 <gateway_IP>
set ha-uptime-diff-margin <diff_int>
set hb-interval <interval_integer>
set hb-lost-threshold <threshold_integer>
set hbdev <interface_name> <priority_integer> [<interface_name> <priority_integer>]...
set hc-eth-type <type_int>
set helo-holddown <holddown_integer>
set http-proxy-threshold <weight_int> <low_int> <high_int>
set imap-proxy-threshold <weight_int> <low_int> <high_int>
set l2ep-eth-type <type_int>
set link-failed-signal {enable | disable}
set load-balance-all {enable | disable}
set load-balance-udp {enable | disable}
set memory-threshold <weight_int> <low_int> <high_int>
set minimum-worker-threshold <threshold_int>
set mode {a‑a | a‑p | standalone}
set monitor <interface_names>
set nntp-proxy-threshold <weight_int> <low_int> <high_int>
set override {enable | disable}
set override-wait-time <secs_int>
set password <password_str>
set pingserver-failover-threshold <threshold_integer>
set pingserver-flip-timeout <timeout_integer>
set pingserver-monitor-interface <interface_names>
set pop3-proxy-threshold <weight_int> <low_int> <high_int>
set priority <priority_integer>
set route-hold <hold_integer>
set route-ttl <ttl_integer>
set route-wait <wait_integer>
set schedule {hub | ip | ipport | leastconnection | none | random | round‑robin | weight‑round‑robin}
set session-pickup {enable | disable}
set session-pickup-connectionless {enable | disable}
set session-pickup-delay {enable | disable}
set session-pickup-expectation {enable | disable}
set session-pickup-nat {enable | disable}
set session-sync-daemon-number <process_id_int>
set session-sync-dev <interface_name> [<interface_name>]...
set slave-switch-standby {enable | disable}
set smtp-proxy-threshold <weight_int> <low_int> <high_int>
set standalone-config-sync {enable | disable}
set sync-config {enable | disable}
set uninterruptible-upgrade {enable | disable}
set update-all-session-timer {enable | disable}
set weight <priority_integer> <weight_integer>
set vdom <vdom_names>
set vcluster2 {disable | enable}
end
config secondary-vcluster
set monitor <interface_names>
set override {enable | disable}
set priority <priority_integer>
set vdom <vdom_names>
set pingserver-failover-threshold <threshold_integer>
set pingserver-monitor-interface <interface_names>
end
config frup-settings
set active-interface <interface_name>
set backup-interface <interface_name>
set active-switch-port <port_number>
end
end
 
Variable
Description
Default
arps <arp_integer>
Set the number of times that the primary unit sends gratuitous ARP packets. Gratuitous ARP packets are sent when a cluster unit becomes a primary unit (this can occur when the cluster is starting up or after a failover).
The range is 1 to 60.
5
arps-interval <interval_integer>
Set the number of seconds to wait between sending gratuitous ARP packets. When a cluster unit becomes a primary unit (this occurs when the cluster is starting up or after a failover) the primary unit sends gratuitous ARP packets immediately to inform connected network equipment of the IP address and MAC address of the primary unit.
The range is 1 to 20 seconds.
8
authentication {enable | disable}
Enable/disable HA heartbeat message authentication using SHA1.
disable
cpu-threshold <weight_int> <low_int> <high_int>
Configure dynamic weighted load balancing for CPU usage. When enabled fewer sessions will be load balanced to the cluster unit when the CPU usage reaches the high watermark <high_int>.
This is available when mode is a-a and schedule is weight-round-robin. Default low and high watermarks of 0 disable the feature.
This setting is not synchronized by HA.
5 0 0
encryption {enable | disable}
Enable/disable HA heartbeat message encryption using AES-128 for encryption and SHA1 for authentication.
disable
ftp-proxy-threshold <weight_int> <low_int> <high_int>
Configure dynamic weighted load balancing for FTP proxy sessions processed by a cluster unit. When enabled fewer sessions will be load balanced to the cluster unit when the high watermark <high_int> is reached.
This is available when mode is a-a and schedule is weight-round-robin. Default low and high watermarks of 0 disable the feature.
This setting is not synchronized by HA.
5 0 0
gratuitous-arps {enable | disable}
Enable or disable gratuitous ARP packets from new master unit. These ARP packets are not needed if link-failed-signal is enabled.
enable
group-id <id_integer>
The HA group ID. The group ID range is from 0 to 255. All members of the HA cluster must have the same group ID. Changing the Group ID changes the cluster virtual MAC address.
0
group-name <name_str>
Enter the HA group name, maximum 32 characters. All cluster members must have the same group name. Can be empty if mode is standalone.
null
ha-direct {enable | disable}
Enable to send log directly from ha-mgmt-intf in HA mode.
disable
ha-eth-type <type_int>
Set the Ethertype used by HA heartbeat packets for NAT/Route mode clusters. <type_int> is a 4-digit number.
8890
ha-mgmt-status {enable | disable}
Enable or disable the HA reserved management interface feature.
disable
ha-mgmt-interface <interface_name>
Configure the FortiGate interface to be the reserved HA management interface. You can configure the IP address and other settings for this interface using the config system interface command. When you enable the reserved management interface feature the configuration of the reserved interface is not synchronized by HA.
No default.
ha-mgmt-interface-gateway <gateway_IP>
Configure the default route for the reserved HA management interface (IPv4).
This setting is not synchronized by HA.
0.0.0.0
ha-mgmt-interface-gateway6 <gateway_IP>
Configure the default route for the reserved HA management interface (IPv6).
This setting is not synchronized by HA.
::
ha-uptime-diff-margin <diff_int>
Change the cluster age difference margin (grace period). This margin is the age difference ignored by the cluster when selecting a primary unit based on age. Normally the default value of 300 seconds (5 minutes) should not be changed. However, for demo purposes you can use this option to lower the difference margin.
300
hb-interval <interval_integer>
The heartbeat interval is the time between sending heartbeat packets. The heartbeat interval range is 1 to 20 (100*milliseconds). So an hb-interval of 2 means a heartbeat packet is sent every 200 milliseconds.
2
hb-lost-threshold <threshold_integer>
The lost heartbeat threshold is the number of consecutive heartbeat packets that are not received from another cluster unit before assuming that the cluster unit has failed. The range is 1 to 60 packets.
6
hbdev <interface_name> <priority_integer> [<interface_name> <priority_integer>]...
Select the FortiGate interfaces to be heartbeat interfaces and set the heartbeat priority for each interface. The heartbeat interface with the highest priority processes all heartbeat traffic. If two or more heartbeat interfaces have the same priority, the heartbeat interface that with the lowest hash map order value processes all heartbeat traffic.
By default two interfaces are configured to be heartbeat interfaces and the priority for both these interfaces is set to 50. The heartbeat interface priority range is 0 to 512.
You can select up to 8 heartbeat interfaces. This limit only applies to FortiGate units with more than 8 physical interfaces.
Depends on the FortiGate model.
hc-eth-type <type_int>
Set the Ethertype used by HA heartbeat packets for Transparent mode clusters. <type_int> is a 4-digit number.
8891
helo-holddown <holddown_integer>
The hello state hold-down time, which is the number of seconds that a cluster unit waits before changing from hello state to work state.
The range is 5 to 300 seconds.
20
http-proxy-threshold <weight_int> <low_int> <high_int>
Configure dynamic weighted load balancing for HTTP proxy sessions processed by a cluster unit. When enabled fewer sessions will be load balanced to the cluster unit when the high watermark <high_int> is reached.
This is available when mode is a-a and schedule is weight-round-robin. Default low and high watermarks of 0 disable the feature.
This setting is not synchronized by HA.
5 0 0
imap-proxy-threshold <weight_int> <low_int> <high_int>
Configure dynamic weighted load balancing for IMAP proxy sessions processed by a cluster unit. When enabled fewer sessions will be load balanced to the cluster unit when the high watermark <high_int> is reached.
This is available when mode is a-a and schedule is weight-round-robin. Default low and high watermarks of 0 disable the feature.
This setting is not synchronized by HA.
5 0 0
l2ep-eth-type <type_int>
Set the Ethertype used by HA telnet sessions between cluster units over the HA link. <type_int> is a 4-digit number.
8893
link-failed-signal {enable | disable}
Enable or disable shutting down all interfaces (except for heartbeat device interfaces) of a cluster unit with a failed monitored interface for one second after a failover occurs. Enable this option if the switch the cluster is connected to does not update its MAC forwarding tables after a failover caused by a link failure.
disable
load-balance-all {enable | disable}
Select the traffic that is load balanced by active-active HA. Enable to load balance TCP sessions and sessions for firewall policies that include UTM options. Disable to load balance only sessions for firewall policies that include UTM options.
Available if mode is a-a.
disable
load-balance-udp {enable | disable}
Load balance UTM traffic between FS-5203B and FG-5001B.
disable
memory-threshold <weight_int> <low_int> <high_int>
Configure dynamic weighted load balancing for memory usage. When enabled fewer sessions will be load balanced to the cluster unit when the memory usage reaches the high watermark <high_int>.
This is available when mode is a-a and schedule is weight-round-robin and is not synchronized to all cluster units. Default low and high watermarks of 0 disable the feature.
This setting is not synchronized by HA.
5 0 0
minimum-worker-threshold <threshold_int>
Used only in content-cluster inter-chassis mode. In inter-chassis mode HA takes the number of worker (non-5203B) blades in a chassis when electing an HA master. Blades in a chassis that has less than "minimum-worker-threshold" worker blades available will be ranked lower than blades in a chassis that meets or exceeds "minimum-worker-threshold".
The default value of 1 effectively disables the threshold. The maximum value is 11.
1
mode {a‑a | a‑p | standalone}
Set the HA mode.
Enter a-p to create an Active-Passive cluster.
Enter a-a to create an Active-Active cluster.
Enter standalone to disable HA.
All members of an HA cluster must be set to the same HA mode.
standalone
monitor <interface_names>
Enable or disable port monitoring for link failure. Port monitoring (also called interface monitoring) monitors FortiGate interfaces to verify that the monitored interfaces are functioning properly and connected to their networks.
Enter the names of the interfaces to monitor. Use a space to separate each interface name. If you want to remove an interface from the list or add an interface to the list you must retype the list with the names changed as required.
You can monitor physical interfaces, redundant interfaces, and 802.3ad aggregated interfaces but not VLAN subinterfaces, IPSec VPN interfaces, or switch interfaces.
You can monitor up to 64 interfaces. This limit only applies to FortiGate units with more than 16 physical interfaces. In a multiple VDOM configuration you can monitor up to 64 interfaces per virtual cluster.
No default.
nntp-proxy-threshold <weight_int> <low_int> <high_int>
Configure dynamic weighted load balancing for NNTP proxy sessions processed by a cluster unit. When enabled fewer sessions will be load balanced to the cluster unit when the high watermark <high_int> is reached.
This is available when mode is a-a and schedule is weight-round-robin and is not synchronized to all cluster units. Default low and high watermarks of 0 disable the feature.
5 0 0
override {enable | disable}
Enable or disable forcing the cluster to renegotiate and select a new primary unit every time a cluster unit leaves or joins a cluster, changes status within a cluster, or every time the HA configuration of a cluster unit changes.
Automatically changes to enable when you enable virtual cluster 2.
This setting is not synchronized by HA.
disable
override-wait-time <secs_int>
Delay override
when changing HA mode from standalone to A‑A/A‑P mode,
when HA is already set to A‑A/A‑P mode and the FortiGate unit reboots.
Range 0 to 3600 seconds.
0
password <password_str>
Enter a password for the HA cluster. The password must be the same for all FortiGate units in the cluster. The maximum password length is 15 characters.
No default.
pingserver-failover-threshold <threshold_integer>
Set the HA remote IP monitoring failover threshold.
The failover threshold range is 0 to 50. Setting the failover threshold to 0 means that if any ping server added to the HA remote IP monitoring configuration fails an HA failover will occur.
Set the priority for each remote IP monitoring ping server using the ha‑priority field of the command system link-monitor.
0
pingserver-flip-timeout <timeout_integer>
Set the HA remote IP monitoring flip timeout in minutes. If HA remote IP monitoring fails on all cluster units because none of the cluster units can connect to the monitored IP addresses, the flip timeout stops a failover from occurring until the timer runs out. The range is 6 to 2147483647 minutes.
60
pingserver-monitor-interface <interface_names>
Enable HA remote IP monitoring by specifying the FortiGate unit interfaces that will be used to monitor remote IP addresses. You can configure remote IP monitoring for all types of interfaces including physical interfaces, VLAN interfaces, redundant interfaces and aggregate interfaces.
Use a space to separate each interface name. If you want to remove an interface from the list or add an interface to the list you must retype the list with the names changed as required.
 
pop3-proxy-threshold <weight_int> <low_int> <high_int>
Configure dynamic weighted load balancing for POP3 proxy sessions processed by a cluster unit. When enabled fewer sessions will be load balanced to the cluster unit when the high watermark <high_int> is reached.
This is available when mode is a-a and schedule is weight-round-robin and is not synchronized to all cluster units. Default low and high watermarks of 0 disable the feature.
This setting is not synchronized by HA.
5 0 0
priority <priority_integer>
Change the device priority of the cluster unit. Each cluster unit can have a different device priority. During HA negotiation, the cluster unit with the highest device priority becomes the primary unit. The device priority range is 0 to 255.
This setting is not synchronized by HA.
128
route-hold <hold_integer>
The minimum time between primary unit updates to the routing tables of subordinate units in a cluster. The route hold range is 0 to 3600 seconds.
10
route-ttl <ttl_integer>
The time to live for routes in a cluster unit routing table.
The time to live range is 5 to 3600 seconds.
The time to live controls how long routes remain active in a cluster unit routing table after the cluster unit becomes a primary unit.
10
route-wait <wait_integer>
The time the primary unit waits after receiving a routing table update before attempting to update the subordinate units in the cluster.
The route-wait range is 0 to 3600 seconds.
0
schedule {hub | ip | ipport | leastconnection | none | random | round‑robin | weight‑round‑robin}
Active-active load balancing schedule.
hub load balancing if the cluster interfaces are connected to hubs. Traffic is distributed to cluster units based on the Source IP and Destination IP of the packet.
ip — load balancing according to IP address.
ipport — load balancing according to IP address and port.
leastconnection — least connection load balancing.
none — no load balancing. Use none when the cluster interfaces are connected to load balancing switches.
random — random load balancing.
round-robin — round robin load balancing. If the cluster units are connected using switches, use round-robin to distribute traffic to the next available cluster unit.
weight-round-robin — weighted round robin load balancing. Similar to round robin, but you can assign weighted values to each of the units in a cluster.
round-robin
session-pickup {enable | disable}
Enable or disable session pickup. Enable session‑pickup so that if the primary unit fails, all sessions are picked up by the new primary unit.
If you enable session pickup the subordinate units maintain session tables that match the primary unit session table. If the primary unit fails, the new primary unit can maintain all active communication sessions.
If you do not enable session pickup the subordinate units do not maintain session tables. If the primary unit fails all sessions are interrupted and must be restarted when the new primary unit is operating.
disable
session-pickup-connectionless {enable | disable}
Enable or disable session synchronization for connectionless (UDP and ICMP) sessions when mode is set to a-a or a-p. When mode is standalone, session pickup applies to FGSP cluster TCP session synchronization only. This is available if session-pickup is enabled.
disable
session-pickup-delay {enable | disable}
Enable to synchronize sessions only if they remain active for more than 30 seconds. This option improves performance when session-pickup is enabled by reducing the number of sessions that are synchronized.
disable
session-pickup-expectation {enable | disable}
Enable or disable session synchronization for expectation sessions in an FGSP cluster. This is available if session-pickup is enabled and mode is standalone.
disable
session-pickup-nat {enable | disable}
Enable or disable session synchronization for NAT sessions in an FGSP cluster. This is available if session-pickup is enabled and mode is standalone.
disable
session-sync-daemon-number <process_id_int>
Set the number of processes used by the HA session sync daemon. Increase the number of processes to handle session packets sent from the kernel efficiently when the session rate is high. Intended for ELBC clusters, this feature only works for clusters with two members. Range 1 to 15.
1
session-sync-dev <interface_name> [<interface_name>]...
Select FortiGate interfaces to be used for session synchronization between cluster units instead of using the heartbeat interface. You can select up to 8 session synchronization interfaces. Session synchronization packets are load balanced among these interfaces.
Set this parameter in order to enable kernel session sync. This can be used to reduce CPU usage from the session sync process
No default.
slave-switch-standby {enable | disable}
Enable to force slave FS-5203B into standby mode even though its weight is non-zero.
disable
smtp-proxy-threshold <weight_int> <low_int> <high_int>
Configure dynamic weighted load balancing for SMTP proxy sessions processed by a cluster unit. When enabled fewer sessions will be load balanced to the cluster unit when the high watermark <high_int> is reached.
This is available when mode is a-a and schedule is weight-round-robin and is not synchronized to all cluster units. Default low and high watermarks of 0 disable the feature.
This setting is not synchronized by HA.
5 0 0
standalone-config-sync {enable | disable}
Synchronize the configuration of the FortiGate units in an FGSP cluster. This is available if session-pickup is enabled and mode is standalone.
disable
sync-config {enable | disable}
Enable or disable automatic synchronization of primary unit configuration changes to all cluster units.
enable
uninterruptible-upgrade {enable | disable}
Enable or disable upgrading the cluster without interrupting cluster traffic processing.
If uninterruptible-upgrade is enabled, traffic processing is not interrupted during a normal firmware upgrade. This process can take some time and may reduce the capacity of the cluster for a short time.
If uninterruptible-upgrade is disabled, traffic processing is interrupted during a normal firmware upgrade (similar to upgrading the firmware operating on a standalone FortiGate unit).
enable
update-all-session-timer {enable | disable}
Enable or disable updating all session timers after a failover.
disable
weight <priority_integer> <weight_integer>
The weighted round robin load balancing weight to assign to each cluster unit in an active-active cluster. When you set schedule to weight-round-robin you can use the weight field to set the weight of each cluster unit. The weight is set according to the priority of the unit in the cluster. A FortiGate HA cluster can contain up to 4 FortiGate units so you can set up to 4 weights.
The default weight means that the 4 possible units in the cluster all have the same weight of 40. The cluster units are numbered 0 to 3.
priority_integer is a number from 0 to 3 that identifies the priority of the cluster unit.
weight-integer is a number between 0 and 255 that is the weight assigned to the cluster units according to their priority in the cluster. Increase the weight to increase the number of connections processed by the cluster unit with that priority.
You enter the weight for each unit separately. For example, if you have a cluster of 4 FortiGate units you can set the weights for each unit as follows:
set weight 0 5
set weight 1 10
set weight 2 15
set weight 3 20
 
vdom <vdom_names>
Add virtual domains to virtual cluster 1 or virtual cluster 2. Virtual cluster 2 is also called the secondary virtual cluster.
In the config system ha shell, use set vdom to add virtual domains to virtual cluster 1. Adding a virtual domain to virtual cluster 1 removes that virtual domain from virtual cluster 2.
In the config secondary-vcluster shell, use set vdom to add virtual domains to virtual cluster 2. Adding a virtual domain to virtual cluster 2 removes it from virtual cluster 1.
You can use vdom to add virtual domains to a virtual cluster in any combination. You can add virtual domains one at a time or you can add multiple virtual domains at a time. For example, entering set vdom domain_1 followed by set vdom domain_2 has the same result as entering set vdom domain_1 domain_2.
All virtual domains are added to virtual cluster 1.
vcluster2 {disable | enable}
Enable or disable virtual cluster 2.
When multiple VDOMs are enabled, virtual cluster 2 is enabled by default. When virtual cluster 2 is enabled you can use config secondary-vcluster to configure virtual cluster 2.
Disable virtual cluster 2 to move all virtual domains from virtual cluster 2 back to virtual cluster 1.
Enabling virtual cluster 2 enables override for virtual cluster 1 and virtual cluster 2.
disable
enable when multiple VDOMs are enabled
config secondary-vcluster
Configure virtual cluster 2. You must enable vcluster2. Then you can use config secondary-vcluster to set monitor, override, priority, and vdom for virtual cluster 2.
priority setting is not synchronized by HA.
 
Same defaults as virtual cluster 1 except that the default value for override is enable.
config frup-settings fields
These fields configure the Fortinet Redundant UTM Protocol (FRUP).
active-interface <interface_name>
Select active interface.
No default.
backup-interface <interface_name>
Select backup interface.
No default.
active-switch-port <port_number>
Enter active switch port.
No default.