If one or more modules (FIMs and FPMs) in the primary FortiGate-7000 fails, the cluster renegotiates and the FortiGate-7000 with the most operating modules becomes the primary FortiGate-7000. A module failure can occur if a module shuts down due to a software crash or hardware problem, or if the module is manually shut down or even removed from the chassis.
After the primary FortiGate-7000 experiences a module failure, the FortiGate-7000 with the most operating modules becomes the new primary FortiGate-7000. The new primary FortiGate-7000 sends gratuitous arp packets out all of its connected interfaces to inform attached switches to send traffic to it. Sessions then resume with the new primary FortiGate-7000.
If the secondary FortiGate-7000 experiences a module failure, its status in the cluster does not change. However, in future negotiations the FortiGate-7000 with an FPC failure is less likely to become the primary FortiGate-7000.