Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.2.9 Administration Guide
    7.2.9
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Single FortiGuard license for FortiGate A-P HA cluster

    Single FortiGuard license for FortiGate A-P HA cluster

    FortiGate A-P HA cluster supports sharing a single FortiGuard service license for both cluster units for the following models:

    • 40F and variants

    • 60F and variants

    • 70F and variants

    • 80F and variants

    • 100F and variants

    When a customer purchases two units with the HA SKU (such as 2 x FG-40F-HA), they can further purchase a single order of the following SKUs:

    • Enterprise Protection

    • Unified Threat Protection (UTP)

    • Advanced Threat Protection (ATP)

    The two FortiGate S/N will be associated together on FortiCare to create one virtual Serial Number (vSN). The above services will then be registered to the vSN.

    To configure the FortiGates in HA using FortiZTP:

    1. Unpack the two boxes, and connect the HA interfaces back to back using the highest physical port number that is not a fabric port (portA and portB) as indicated below:

      Model

      HA interface
      FortiGate 40F series port3
      FortiGate 60F series port5
      FortiGate 70F series port4/5
      FortiGate 80F series port5/6
      FortiGate 100F series ha1/ha2

    2. Connect the WAN interface to an upstream gateway that is providing DHCP service.

    3. Connect internal interfaces to an internal switch as required.

    4. Power on both FortiGates.

    5. Shortly after, the boxes will receive the vSN and their HA configuration from FortiGate Cloud.

    6. Register the vSN and service contracts in the FortiCloud Asset Management portal.

    To configure the FortiGates in HA manually using the CLI:

    1. Unpack the two boxes, and connect to each unit through the CLI or the default management interface.

    2. Configure the following basic HA settings on each unit:

      config system ha
    set mode a-p
    set group-id <id>
    set group-name <group-name>
    set password ********
    set hbdev <HA interface 1> <priority 1> [HA interface 2] [priority 2]
    set logical-sn enable
end

    3. Connect the HA interfaces back to back using your preferred interfaces.

    4. Power on both FortiGates.

    5. Shortly after, the boxes will receive the vSN.

    6. Register the vSN and service contracts in the FortiCloud Asset Management portal.

    After the registration of HA cluster is complete, you can view the HA status and vSN (or Logical Serial) from the GUI on the System > HA page. Alternatively, you can use these commands:

    # get system ha status
HA Health Status: OK
Model: FortiGate-80F
Mode: HA A-P
Group Name: Branch1-HA
Group ID: 100
Debug: 0
Cluster Uptime: 0 days 2h:33m:2s
Cluster state change time: 2024-11-19 13:57:31
Primary selected using:
    <2024/11/19 13:57:31> vcluster-1: FGT80FTK22023xxx is selected as the primary because its override priority is larger than peer member FGT80FTK20000xxx.
    <2024/11/19 11:26:06> vcluster-1: FGT80FTK22023xxx is selected as the primary because it's the only member in the cluster.
ses_pickup: enable, ses_pickup_delay=disable
override: enable
Configuration Status:
    FGT80FTK22023xxx(updated 1 seconds ago): in-sync
    FGT80FTK22023xxx chksum dump: 0e 4c b5 56 80 be bf 20 8e e5 ad d5 59 ea 5d b3
    FGT80FTK20000xxx(updated 0 seconds ago): out-of-sync
    FGT80FTK20000xxx chksum dump: d1 31 59 fc 0b 91 12 ca 92 69 62 d2 9f b7 a3 c3
System Usage stats:
    FGT80FTK22023xxx(updated 1 seconds ago):
        sessions=18, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=26%
    FGT80FTK20000xxx(updated 0 seconds ago):
        sessions=4, average-cpu-user/nice/system/idle=6%/0%/6%/87%, memory=24%
HBDEV stats:
    FGT80FTK22023xxx(updated 1 seconds ago):
        internal3: physical/1000auto, up, rx-bytes/packets/dropped/errors=1492065/22100/0/0, tx=20442845/47022/0/0
    FGT80FTK20000xxx(updated 0 seconds ago):
        internal3: physical/1000auto, up, rx-bytes/packets/dropped/errors=24954361/57802/0/0, tx=1804396/27277/0/0
number of member: 2
80FASAAA        , FGT80FTK22023xxx, HA cluster index = 0
FGT-D           , FGT80FTK20000xxx, HA cluster index = 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Primary: FGT80FTK22023xxx, HA operating index = 0
Secondary: FGT80FTK20000xxx, HA operating index = 1
Logical Serial Number: FGT80FHA24090xxx

# diagnose system ha dump-by debug-zone
            HA information.
is_manage_primary=1,manage_vd=root,ip=169.254.0.1,num=2,nvcluster=1,jiffies=938038.
logical serial number is FGT80FHA24090xxx,
local serial number is FGT80FTK22023xxx,
member's serial number is FGT80FTK20000xxx

    Furthermore, the service contract will be associated with the vSN and can be viewed on the System > FortiGuard page.

    Caution

    Do not change the HA mode from A-P to A-A when set logical-sn enable. This will result in the FortiGate losing its vSN. Disabling logical-sn will also result in losing the vSN. As a result, service entitlements will no longer be registered to the HA cluster.
    Previous
    Next

    Single FortiGuard license for FortiGate A-P HA cluster

    Single FortiGuard license for FortiGate A-P HA cluster

    FortiGate A-P HA cluster supports sharing a single FortiGuard service license for both cluster units for the following models:

    • 40F and variants

    • 60F and variants

    • 70F and variants

    • 80F and variants

    • 100F and variants

    When a customer purchases two units with the HA SKU (such as 2 x FG-40F-HA), they can further purchase a single order of the following SKUs:

    • Enterprise Protection

    • Unified Threat Protection (UTP)

    • Advanced Threat Protection (ATP)

    The two FortiGate S/N will be associated together on FortiCare to create one virtual Serial Number (vSN). The above services will then be registered to the vSN.

    To configure the FortiGates in HA using FortiZTP:

    1. Unpack the two boxes, and connect the HA interfaces back to back using the highest physical port number that is not a fabric port (portA and portB) as indicated below:

      Model

      HA interface
      FortiGate 40F series port3
      FortiGate 60F series port5
      FortiGate 70F series port4/5
      FortiGate 80F series port5/6
      FortiGate 100F series ha1/ha2

    2. Connect the WAN interface to an upstream gateway that is providing DHCP service.

    3. Connect internal interfaces to an internal switch as required.

    4. Power on both FortiGates.

    5. Shortly after, the boxes will receive the vSN and their HA configuration from FortiGate Cloud.

    6. Register the vSN and service contracts in the FortiCloud Asset Management portal.

    To configure the FortiGates in HA manually using the CLI:

    1. Unpack the two boxes, and connect to each unit through the CLI or the default management interface.

    2. Configure the following basic HA settings on each unit:

      config system ha
    set mode a-p
    set group-id <id>
    set group-name <group-name>
    set password ********
    set hbdev <HA interface 1> <priority 1> [HA interface 2] [priority 2]
    set logical-sn enable
end

    3. Connect the HA interfaces back to back using your preferred interfaces.

    4. Power on both FortiGates.

    5. Shortly after, the boxes will receive the vSN.

    6. Register the vSN and service contracts in the FortiCloud Asset Management portal.

    After the registration of HA cluster is complete, you can view the HA status and vSN (or Logical Serial) from the GUI on the System > HA page. Alternatively, you can use these commands:

    # get system ha status
HA Health Status: OK
Model: FortiGate-80F
Mode: HA A-P
Group Name: Branch1-HA
Group ID: 100
Debug: 0
Cluster Uptime: 0 days 2h:33m:2s
Cluster state change time: 2024-11-19 13:57:31
Primary selected using:
    <2024/11/19 13:57:31> vcluster-1: FGT80FTK22023xxx is selected as the primary because its override priority is larger than peer member FGT80FTK20000xxx.
    <2024/11/19 11:26:06> vcluster-1: FGT80FTK22023xxx is selected as the primary because it's the only member in the cluster.
ses_pickup: enable, ses_pickup_delay=disable
override: enable
Configuration Status:
    FGT80FTK22023xxx(updated 1 seconds ago): in-sync
    FGT80FTK22023xxx chksum dump: 0e 4c b5 56 80 be bf 20 8e e5 ad d5 59 ea 5d b3
    FGT80FTK20000xxx(updated 0 seconds ago): out-of-sync
    FGT80FTK20000xxx chksum dump: d1 31 59 fc 0b 91 12 ca 92 69 62 d2 9f b7 a3 c3
System Usage stats:
    FGT80FTK22023xxx(updated 1 seconds ago):
        sessions=18, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=26%
    FGT80FTK20000xxx(updated 0 seconds ago):
        sessions=4, average-cpu-user/nice/system/idle=6%/0%/6%/87%, memory=24%
HBDEV stats:
    FGT80FTK22023xxx(updated 1 seconds ago):
        internal3: physical/1000auto, up, rx-bytes/packets/dropped/errors=1492065/22100/0/0, tx=20442845/47022/0/0
    FGT80FTK20000xxx(updated 0 seconds ago):
        internal3: physical/1000auto, up, rx-bytes/packets/dropped/errors=24954361/57802/0/0, tx=1804396/27277/0/0
number of member: 2
80FASAAA        , FGT80FTK22023xxx, HA cluster index = 0
FGT-D           , FGT80FTK20000xxx, HA cluster index = 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Primary: FGT80FTK22023xxx, HA operating index = 0
Secondary: FGT80FTK20000xxx, HA operating index = 1
Logical Serial Number: FGT80FHA24090xxx

# diagnose system ha dump-by debug-zone
            HA information.
is_manage_primary=1,manage_vd=root,ip=169.254.0.1,num=2,nvcluster=1,jiffies=938038.
logical serial number is FGT80FHA24090xxx,
local serial number is FGT80FTK22023xxx,
member's serial number is FGT80FTK20000xxx

    Furthermore, the service contract will be associated with the vSN and can be viewed on the System > FortiGuard page.

    Caution

    Do not change the HA mode from A-P to A-A when set logical-sn enable. This will result in the FortiGate losing its vSN. Disabling logical-sn will also result in losing the vSN. As a result, service entitlements will no longer be registered to the HA cluster.
    Previous
    Next