Device failure
If the primary FortiGate-7000E encounters a problem that is severe enough to cause it to fail, the secondary FortiGate-7000E becomes new primary FortiGate-7000E. This occurs because the secondary FortiGate-7000E is constantly waiting to negotiate to become primary FortiGate-7000E. Only the heartbeat packets sent by the primary FortiGate-7000E keep the secondary FortiGate-7000E from becoming the primary FortiGate-7000E. Each received heartbeat packet resets a negotiation timer in the secondary FortiGate-7000E. If this timer is allowed to run out because the secondary FortiGate-7000E does not receive heartbeat packets from the primary FortiGate-7000E, the secondary FortiGate-7000E assumes that the primary FortiGate-7000E has failed and becomes the primary FortiGate-7000E.
The new primary FortiGate-7000E will have the same MAC and IP addresses as the former primary FortiGate-7000E. The new primary FortiGate-7000E then sends gratuitous ARP packets out all of its connected interfaces to inform attached switches to send traffic to the new primary FortiGate-7000E. Sessions then resume with the new primary FortiGate-7000E.