Active-active (A-A) HA load balances resource-intensive content inspection processing among all cluster units. Content inspection processing applies protocol recognition, virus scanning, IPS, web filtering, email filtering, data leak prevention (DLP), application control, and VoIP content scanning and protection to HTTP, HTTPS, FTP, IMAP, IMAPS, POP3, POP3S, SMTP, SMTPS, IM, NNTP, SIP, SIMPLE, and SCCP sessions accepted by security policies. By load balancing this resource-intensive processing among all cluster units, an active-active HA cluster may provide better content inspection performance than a standalone FortiGate unit. Other features enabled in security policies such as Endpoint security, traffic shaping, user authentication, and device identification have no effect active-active load balancing.

Normally, sessions that don’t include content inspection are not load balanced and are processed by the primary unit. You can configure active-active HA to load balance additional sessions. For more information see “Load balancing UTM sessions, TCP sessions, and UDP sessions”.

An active‑active HA cluster consists of a primary unit that receives all communication sessions and load balances them among the primary unit and all of the subordinate units. In an active-active cluster the subordinate units are also considered active since they also process content processing sessions. In all other ways active-active HA operates the same as active-passive HA.

The following example shows how to configure a FortiGate unit for active-active HA operation. You would enter the exact same commands on every FortiGate unit in the cluster.