Primary FortiGate-7000 chassis selection and failover criteria

Once two FortiGate-7000s recognize that they can form a cluster, they negotiate to select a primary FortiGate-7000. Primary FortiGate-7000 selection occurs automatically based on the criteria shown below. After the cluster selects the primary FortiGate-7000, the other FortiGate-7000 becomes the backup.

Negotiation and primary FortiGate-7000 selection also takes place if the one of the criteria for selecting the primary chassis changes. For example, an interface can become disconnected or module can fail. After this happens, the cluster can renegotiate to select a new primary FortiGate-7000 also using the criteria shown below.

If there are no failures and if you haven't configured any settings to influence primary FortiGate-7000 selection, the FortiGate-7000 with the highest serial number becomes the primary FortiGate-7000.

Using the serial number is a convenient way to differentiate FortiGate-7000s; so basing primary FortiGate-7000 selection on the serial number is predictable and easy to understand and interpret. Also the FortiGate-7000 with the highest serial number would usually be the newest with the most recent hardware version. In many cases you may not need active control over primary FortiGate-7000 selection, so basic primary FortiGate-7000 selection based on serial number is sufficient.

In some situations you may want have control over the FortiGate-7000 that becomes the primary FortiGate-7000. You can control primary FortiGate-7000 selection by setting the priority of one FortiGate-7000 to be higher than the priority of the other. If you change the priority of one of the FortiGate-7000, during negotiation, the FortiGate-7000 with the highest priority becomes the primary FortiGate-7000 . As shown above, FGCP selects the primary FortiGate-7000 based on priority before serial number. For more information about how to use priorities, see Primary FortiGate-7000 chassis selection and failover criteria.

FortiGate-7000 uptime is also a factor. Normally when two FortiGate-7000s start up their uptimes are similar and do not affect primary FortiGate-7000 selection. However, during operation, if one of the FortiGate-7000s goes down the other will have a much higher uptime and will be selected as the primary FortiGate-7000 before priority and serial number are tested.

Verifying primary FortiGate-7000 selection

You can use the diagnose sys ha status command to verify which FortiGate-7000 has become the primary FortiGate-7000 as shown by the following command output example. This output also shows that the FortiGate-7000 with the highest serial number was selected to be the primary chassis.

diagnose  sys  ha  status
==========================================================================
Current slot: 1  Module SN: FIM04E3E16000085
Chassis HA mode: a-p

Chassis HA information:
[Debug_Zone HA information]
HA group member information: is_manage_master=1.
FG74E83E16000015:  Slave, serialno_prio=1, usr_priority=128, hostname=CH15
FG74E83E16000016: Master, serialno_prio=0, usr_priority=127, hostname=CH16

Primary FortiGate-7000 chassis selection and failover criteria

Verifying primary FortiGate-7000 selection

diagnose sys ha status ========================================================================== Current slot: 1 Module SN: FIM04E3E16000085 Chassis HA mode: a-p Chassis HA information: [Debug_Zone HA information] HA group member information: is_manage_master=1. FG74E83E16000015: Slave, serialno_prio=1, usr_priority=128, hostname=CH15 FG74E83E16000016: Master, serialno_prio=0, usr_priority=127, hostname=CH16

FortiGate-7000 Handbook

Primary FortiGate-7000 chassis selection and failover criteria