Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    7.6.2
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.16
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.17
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    config system ha

    config system ha

    Configure HA.

    config system ha
    Description: Configure HA.
    set arps {integer}
    set arps-interval {integer}
    set authentication [enable|disable]
    set auto-virtual-mac-interface <interface-name1>, <interface-name2>, ...
    set backup-hbdev <name1>, <name2>, ...
    set check-secondary-dev-health [enable|disable]
    set cpu-threshold {user}
    set encryption [enable|disable]
    set evpn-ttl {integer}
    set failover-hold-time {integer}
    set ftp-proxy-threshold {user}
    set gratuitous-arps [enable|disable]
    set group-id {integer}
    set group-name {string}
    set ha-direct [enable|disable]
    set ha-eth-type {string}
    config ha-mgmt-interfaces
        Description: Reserve interfaces to manage individual cluster units.
        edit <id>
            set dst {ipv4-classnet}
            set gateway {ipv4-address}
            set gateway6 {ipv6-address}
            set interface {string}
        next
    end
    set ha-mgmt-status [enable|disable]
    set ha-uptime-diff-margin {integer}
    set hb-interval {integer}
    set hb-interval-in-milliseconds [100ms|10ms]
    set hb-lost-threshold {integer}
    set hbdev {user}
    set hc-eth-type {string}
    set hello-holddown {integer}
    set http-proxy-threshold {user}
    set imap-proxy-threshold {user}
    set ipsec-phase2-proposal {option1}, {option2}, ...
    set key {password}
    set l2ep-eth-type {string}
    set link-failed-signal [enable|disable]
    set load-balance-all [enable|disable]
    set logical-sn [enable|disable]
    set memory-based-failover [enable|disable]
    set memory-compatible-mode [enable|disable]
    set memory-failover-flip-timeout {integer}
    set memory-failover-monitor-period {integer}
    set memory-failover-sample-rate {integer}
    set memory-failover-threshold {integer}
    set memory-threshold {user}
    set mode [standalone|a-a|...]
    set monitor {user}
    set multicast-ttl {integer}
    set nntp-proxy-threshold {user}
    set override [enable|disable]
    set override-wait-time {integer}
    set password {password}
    set pingserver-failover-threshold {integer}
    set pingserver-flip-timeout {integer}
    set pingserver-monitor-interface {user}
    set pingserver-secondary-force-reset [enable|disable]
    set pop3-proxy-threshold {user}
    set priority {integer}
    set route-hold {integer}
    set route-ttl {integer}
    set route-wait {integer}
    set schedule [none|leastconnection|...]
    set session-pickup [enable|disable]
    set session-pickup-connectionless [enable|disable]
    set session-pickup-delay [enable|disable]
    set session-pickup-expectation [enable|disable]
    set session-pickup-nat [enable|disable]
    set session-sync-dev {user}
    set smtp-proxy-threshold {user}
    set ssd-failover [enable|disable]
    set standalone-config-sync [enable|disable]
    set standalone-mgmt-vdom [enable|disable]
    set sync-config [enable|disable]
    set sync-packet-balance [enable|disable]
    set unicast-gateway {ipv4-address}
    set unicast-hb [enable|disable]
    set unicast-hb-netmask {ipv4-netmask}
    set unicast-hb-peerip {ipv4-address}
    config unicast-peers
        Description: Number of unicast peers.
        edit <id>
            set peer-ip {ipv4-address}
        next
    end
    set unicast-status [enable|disable]
    set uninterruptible-primary-wait {integer}
    set upgrade-mode [simultaneous|uninterruptible|...]
    config vcluster
        Description: Virtual cluster table.
        edit <vcluster-id>
            set monitor {user}
            set override [enable|disable]
            set override-wait-time {integer}
            set pingserver-failover-threshold {integer}
            set pingserver-flip-timeout {integer}
            set pingserver-monitor-interface {user}
            set pingserver-secondary-force-reset [enable|disable]
            set priority {integer}
            set vdom <name1>, <name2>, ...
        next
    end
    set vcluster-status [enable|disable]
    set weight {user}
end

    config system ha

    Parameter

    Description

    Type

    Size

    Default

    arps

    Number of gratuitous ARPs (1 - 60). Lower to reduce traffic. Higher to reduce failover time.

    integer

    Minimum value: 1 Maximum value: 60

    5

    arps-interval

    Time between gratuitous ARPs (1 - 20 sec). Lower to reduce failover time. Higher to reduce traffic.

    integer

    Minimum value: 1 Maximum value: 20

    8

    authentication

    Enable/disable heartbeat message authentication.

    option

    -

    disable

    Option

    Description

    enable

    Enable heartbeat message authentication.

    disable

    Disable heartbeat message authentication.

    auto-virtual-mac-interface <interface-name>

    The physical interface that will be assigned an auto-generated virtual MAC address.

    Interface name.

    string

    Maximum length: 15

    backup-hbdev <name>

    Backup heartbeat interfaces. Must be the same for all members.

    Interface name.

    string

    Maximum length: 79

    check-secondary-dev-health

    Enable/disable secondary dev health check for session load-balance in HA A-A mode.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    cpu-threshold

    Dynamic weighted load balancing CPU usage weight and high and low thresholds.

    user

    Not Specified

    encryption

    Enable/disable heartbeat message encryption.

    option

    -

    disable

    Option

    Description

    enable

    Enable heartbeat message encryption.

    disable

    Disable heartbeat message encryption.

    evpn-ttl

    HA EVPN FDB TTL on primary box (5 - 3600 sec).

    integer

    Minimum value: 5 Maximum value: 3600

    60

    failover-hold-time

    Time to wait before failover (0 - 300 sec, default = 0), to avoid flip.

    integer

    Minimum value: 0 Maximum value: 300

    0

    ftp-proxy-threshold

    Dynamic weighted load balancing weight and high and low number of FTP proxy sessions.

    user

    Not Specified

    gratuitous-arps

    Enable/disable gratuitous ARPs. Disable if link-failed-signal enabled.

    option

    -

    enable

    Option

    Description

    enable

    Enable gratuitous ARPs.

    disable

    Disable gratuitous ARPs.

    group-id

    HA group ID (0 - 1023; or 0 - 7 when there are more than 2 vclusters). Must be the same for all members.

    integer

    Minimum value: 0 Maximum value: 1023

    0

    group-name

    Cluster group name. Must be the same for all members.

    string

    Maximum length: 32

    ha-direct

    Enable/disable using ha-mgmt interface for syslog, remote authentication (RADIUS), FortiAnalyzer, FortiSandbox, sFlow, and Netflow.

    option

    -

    disable

    Option

    Description

    enable

    Enable using ha-mgmt interface for syslog, remote authentication (RADIUS), FortiAnalyzer, FortiSandbox, sFlow, and Netflow.

    disable

    Disable using ha-mgmt interface for syslog, remote authentication (RADIUS), FortiAnalyzer, FortiSandbox, sFlow, and Netflow.

    ha-eth-type

    HA heartbeat packet Ethertype (4-digit hex).

    string

    Maximum length: 4

    8890

    ha-mgmt-status

    Enable to reserve interfaces to manage individual cluster units.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    ha-uptime-diff-margin

    Normally you would only reduce this value for failover testing.

    integer

    Minimum value: 1 Maximum value: 65535

    300

    hb-interval

    Time between sending heartbeat packets (1 - 20). Increase to reduce false positives.

    integer

    Minimum value: 1 Maximum value: 20

    2

    hb-interval-in-milliseconds

    Units of heartbeat interval time between sending heartbeat packets. Default is 100ms.

    option

    -

    100ms

    Option

    Description

    100ms

    Each heartbeat interval is 100ms.

    10ms

    Each heartbeat interval is 10ms.

    hb-lost-threshold

    Number of lost heartbeats to signal a failure (1 - 60). Increase to reduce false positives.

    integer

    Minimum value: 1 Maximum value: 60

    6 **

    hbdev

    Heartbeat interfaces. Must be the same for all members. Enter <interface> <priority> pairs to specify the priority of each heartbeat interface. Higher priority takes precedence.

    user

    Not Specified

    hc-eth-type

    Transparent mode HA heartbeat packet Ethertype (4-digit hex).

    string

    Maximum length: 4

    8891

    hello-holddown

    Time to wait before changing from hello to work state (5 - 300 sec).

    integer

    Minimum value: 5 Maximum value: 300

    20

    http-proxy-threshold

    Dynamic weighted load balancing weight and high and low number of HTTP proxy sessions.

    user

    Not Specified

    imap-proxy-threshold

    Dynamic weighted load balancing weight and high and low number of IMAP proxy sessions.

    user

    Not Specified

    ipsec-phase2-proposal

    IPsec phase2 proposal.

    option

    -

    Option

    Description

    aes128-sha1

    aes128-sha1

    aes128-sha256

    aes128-sha256

    aes128-sha384

    aes128-sha384

    aes128-sha512

    aes128-sha512

    aes192-sha1

    aes192-sha1

    aes192-sha256

    aes192-sha256

    aes192-sha384

    aes192-sha384

    aes192-sha512

    aes192-sha512

    aes256-sha1

    aes256-sha1

    aes256-sha256

    aes256-sha256

    aes256-sha384

    aes256-sha384

    aes256-sha512

    aes256-sha512

    aes128gcm

    aes128gcm

    aes256gcm

    aes256gcm

    chacha20poly1305

    chacha20poly1305

    key

    Key.

    password

    Not Specified

    l2ep-eth-type

    Telnet session HA heartbeat packet Ethertype (4-digit hex).

    string

    Maximum length: 4

    8893

    link-failed-signal

    Enable to shut down all interfaces for 1 sec after a failover. Use if gratuitous ARPs do not update network.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    load-balance-all

    Enable to load balance TCP sessions. Disable to load balance proxy sessions only.

    option

    -

    disable

    Option

    Description

    enable

    Enable load balance.

    disable

    Disable load balance.

    logical-sn *

    Enable/disable usage of the logical serial number.

    option

    -

    disable

    Option

    Description

    enable

    Enable usage of the logical serial number.

    disable

    Disable usage of the logical serial number.

    memory-based-failover

    Enable/disable memory based failover.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    memory-compatible-mode

    Enable/disable memory compatible mode.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    memory-failover-flip-timeout

    Time to wait between subsequent memory based failovers in minutes (6 - 2147483647, default = 6).

    integer

    Minimum value: 6 Maximum value: 2147483647

    6

    memory-failover-monitor-period

    Duration of high memory usage before memory based failover is triggered in seconds (1 - 300, default = 60).

    integer

    Minimum value: 1 Maximum value: 300

    60

    memory-failover-sample-rate

    Rate at which memory usage is sampled in order to measure memory usage in seconds (1 - 60, default = 1).

    integer

    Minimum value: 1 Maximum value: 60

    1

    memory-failover-threshold

    Memory usage threshold to trigger memory based failover (0 means using conserve mode threshold in system.global).

    integer

    Minimum value: 0 Maximum value: 95

    0

    memory-threshold

    Dynamic weighted load balancing memory usage weight and high and low thresholds.

    user

    Not Specified

    mode

    HA mode. Must be the same for all members. FGSP requires standalone.

    option

    -

    standalone

    Option

    Description

    standalone

    Standalone mode.

    a-a

    Active-active mode.

    a-p

    Active-passive mode.

    monitor

    Interfaces to check for port monitoring (or link failure).

    user

    Not Specified

    multicast-ttl

    HA multicast TTL on primary (5 - 3600 sec).

    integer

    Minimum value: 5 Maximum value: 3600

    600

    nntp-proxy-threshold

    Dynamic weighted load balancing weight and high and low number of NNTP proxy sessions.

    user

    Not Specified

    override

    Enable and increase the priority of the unit that should always be primary (master).

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    override-wait-time

    Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates.

    integer

    Minimum value: 0 Maximum value: 3600

    0

    password

    Cluster password. Must be the same for all members.

    password

    Not Specified

    pingserver-failover-threshold

    Remote IP monitoring failover threshold (0 - 50).

    integer

    Minimum value: 0 Maximum value: 50

    0

    pingserver-flip-timeout

    Time to wait in minutes before renegotiating after a remote IP monitoring failover.

    integer

    Minimum value: 6 Maximum value: 2147483647

    60

    pingserver-monitor-interface

    Interfaces to check for remote IP monitoring.

    user

    Not Specified

    pingserver-secondary-force-reset

    Enable to force the cluster to negotiate after a remote IP monitoring failover.

    option

    -

    enable

    Option

    Description

    enable

    Enable force reset of secondary member after PING server failure.

    disable

    Disable force reset of secondary member after PING server failure.

    pop3-proxy-threshold

    Dynamic weighted load balancing weight and high and low number of POP3 proxy sessions.

    user

    Not Specified

    priority

    Increase the priority to select the primary unit (0 - 255).

    integer

    Minimum value: 0 Maximum value: 255

    128

    route-hold

    Time to wait between routing table updates to the cluster (0 - 3600 sec).

    integer

    Minimum value: 0 Maximum value: 3600

    10

    route-ttl

    TTL for primary unit routes (5 - 3600 sec). Increase to maintain active routes during failover.

    integer

    Minimum value: 5 Maximum value: 3600

    10

    route-wait

    Time to wait before sending new routes to the cluster (0 - 3600 sec).

    integer

    Minimum value: 0 Maximum value: 3600

    0

    schedule

    Type of A-A load balancing. Use none if you have external load balancers.

    option

    -

    round-robin

    Option

    Description

    none

    None.

    leastconnection

    Least connection.

    round-robin

    Round robin.

    weight-round-robin

    Weight round robin.

    random

    Random.

    ip

    IP.

    ipport

    IP port.

    session-pickup

    Enable/disable session pickup. Enabling it can reduce session down time when fail over happens.

    option

    -

    disable

    Option

    Description

    enable

    Enable session pickup.

    disable

    Disable session pickup.

    session-pickup-connectionless

    Enable/disable UDP and ICMP session sync.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    session-pickup-delay

    Enable to sync sessions longer than 30 sec. Only longer lived sessions need to be synced.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    session-pickup-expectation

    Enable/disable session helper expectation session sync for FGSP.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    session-pickup-nat

    Enable/disable NAT session sync for FGSP.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    session-sync-dev

    Offload session-sync process to kernel and sync sessions using connected interface(s) directly.

    user

    Not Specified

    smtp-proxy-threshold

    Dynamic weighted load balancing weight and high and low number of SMTP proxy sessions.

    user

    Not Specified

    ssd-failover *

    Enable/disable automatic HA failover on SSD disk failure.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    standalone-config-sync

    Enable/disable FGSP configuration synchronization.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    standalone-mgmt-vdom

    Enable/disable standalone management VDOM.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    sync-config

    Enable/disable configuration synchronization.

    option

    -

    enable

    Option

    Description

    enable

    Enable configuration synchronization.

    disable

    Disable configuration synchronization.

    sync-packet-balance

    Enable/disable HA packet distribution to multiple CPUs.

    option

    -

    disable

    Option

    Description

    enable

    Enable HA packet distribution to multiple CPUs.

    disable

    Disable HA packet distribution to multiple CPUs.

    unicast-gateway *

    Default route gateway for unicast interface.

    ipv4-address

    Not Specified

    0.0.0.0

    unicast-hb *

    Enable/disable unicast heartbeat.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    unicast-hb-netmask *

    Unicast heartbeat netmask.

    ipv4-netmask

    Not Specified

    0.0.0.0

    unicast-hb-peerip *

    Unicast heartbeat peer IP.

    ipv4-address

    Not Specified

    0.0.0.0

    unicast-status *

    Enable/disable unicast connection.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    uninterruptible-primary-wait

    Number of minutes the primary HA unit waits before the secondary HA unit is considered upgraded and the system is started before starting its own upgrade (15 - 300, default = 30).

    integer

    Minimum value: 15 Maximum value: 300

    30

    upgrade-mode

    The mode to upgrade a cluster.

    option

    -

    uninterruptible

    Option

    Description

    simultaneous

    Upgrade all HA members at the same time.

    uninterruptible

    Upgrade HA cluster without blocking network traffic.

    local-only

    Upgrade local member only.

    secondary-only

    Upgrade secondary member only.

    vcluster-status

    Enable/disable virtual cluster for virtual clustering.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    weight

    Weight-round-robin weight for each cluster unit. Syntax <priority> <weight>.

    user

    Not Specified

    0 40

    * This parameter may not exist in some models.

    ** Values may differ between models.

    config ha-mgmt-interfaces

    Parameter

    Description

    Type

    Size

    Default

    dst

    Default route destination for reserved HA management interface.

    ipv4-classnet

    Not Specified

    0.0.0.0 0.0.0.0

    gateway

    Default route gateway for reserved HA management interface.

    ipv4-address

    Not Specified

    0.0.0.0

    gateway6

    Default IPv6 gateway for reserved HA management interface.

    ipv6-address

    Not Specified

    ::

    id

    Table ID.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    interface

    Interface to reserve for HA management.

    string

    Maximum length: 15

    config unicast-peers

    Parameter

    Description

    Type

    Size

    Default

    id

    Table ID.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    peer-ip

    Unicast peer IP.

    ipv4-address

    Not Specified

    0.0.0.0

    config vcluster

    Parameter

    Description

    Type

    Size

    Default

    monitor

    Interfaces to check for port monitoring (or link failure).

    user

    Not Specified

    override

    Enable and increase the priority of the unit that should always be primary (master).

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    override-wait-time

    Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates.

    integer

    Minimum value: 0 Maximum value: 3600

    0

    pingserver-failover-threshold

    Remote IP monitoring failover threshold (0 - 50).

    integer

    Minimum value: 0 Maximum value: 50

    0

    pingserver-flip-timeout

    Time to wait in minutes before renegotiating after a remote IP monitoring failover.

    integer

    Minimum value: 6 Maximum value: 2147483647

    60

    pingserver-monitor-interface

    Interfaces to check for remote IP monitoring.

    user

    Not Specified

    pingserver-secondary-force-reset

    Enable to force the cluster to negotiate after a remote IP monitoring failover.

    option

    -

    enable

    Option

    Description

    enable

    Enable force reset of secondary member after PING server failure.

    disable

    Disable force reset of secondary member after PING server failure.

    priority

    Increase the priority to select the primary unit (0 - 255).

    integer

    Minimum value: 0 Maximum value: 255

    128

    vcluster-id

    ID.

    integer

    Minimum value: 1 Maximum value: 30

    1

    vdom <name>

    Virtual domain(s) in the virtual cluster.

    Virtual domain name.

    string

    Maximum length: 79

    Previous
    Next

    config system ha

    config system ha

    Configure HA.

    config system ha
    Description: Configure HA.
    set arps {integer}
    set arps-interval {integer}
    set authentication [enable|disable]
    set auto-virtual-mac-interface <interface-name1>, <interface-name2>, ...
    set backup-hbdev <name1>, <name2>, ...
    set check-secondary-dev-health [enable|disable]
    set cpu-threshold {user}
    set encryption [enable|disable]
    set evpn-ttl {integer}
    set failover-hold-time {integer}
    set ftp-proxy-threshold {user}
    set gratuitous-arps [enable|disable]
    set group-id {integer}
    set group-name {string}
    set ha-direct [enable|disable]
    set ha-eth-type {string}
    config ha-mgmt-interfaces
        Description: Reserve interfaces to manage individual cluster units.
        edit <id>
            set dst {ipv4-classnet}
            set gateway {ipv4-address}
            set gateway6 {ipv6-address}
            set interface {string}
        next
    end
    set ha-mgmt-status [enable|disable]
    set ha-uptime-diff-margin {integer}
    set hb-interval {integer}
    set hb-interval-in-milliseconds [100ms|10ms]
    set hb-lost-threshold {integer}
    set hbdev {user}
    set hc-eth-type {string}
    set hello-holddown {integer}
    set http-proxy-threshold {user}
    set imap-proxy-threshold {user}
    set ipsec-phase2-proposal {option1}, {option2}, ...
    set key {password}
    set l2ep-eth-type {string}
    set link-failed-signal [enable|disable]
    set load-balance-all [enable|disable]
    set logical-sn [enable|disable]
    set memory-based-failover [enable|disable]
    set memory-compatible-mode [enable|disable]
    set memory-failover-flip-timeout {integer}
    set memory-failover-monitor-period {integer}
    set memory-failover-sample-rate {integer}
    set memory-failover-threshold {integer}
    set memory-threshold {user}
    set mode [standalone|a-a|...]
    set monitor {user}
    set multicast-ttl {integer}
    set nntp-proxy-threshold {user}
    set override [enable|disable]
    set override-wait-time {integer}
    set password {password}
    set pingserver-failover-threshold {integer}
    set pingserver-flip-timeout {integer}
    set pingserver-monitor-interface {user}
    set pingserver-secondary-force-reset [enable|disable]
    set pop3-proxy-threshold {user}
    set priority {integer}
    set route-hold {integer}
    set route-ttl {integer}
    set route-wait {integer}
    set schedule [none|leastconnection|...]
    set session-pickup [enable|disable]
    set session-pickup-connectionless [enable|disable]
    set session-pickup-delay [enable|disable]
    set session-pickup-expectation [enable|disable]
    set session-pickup-nat [enable|disable]
    set session-sync-dev {user}
    set smtp-proxy-threshold {user}
    set ssd-failover [enable|disable]
    set standalone-config-sync [enable|disable]
    set standalone-mgmt-vdom [enable|disable]
    set sync-config [enable|disable]
    set sync-packet-balance [enable|disable]
    set unicast-gateway {ipv4-address}
    set unicast-hb [enable|disable]
    set unicast-hb-netmask {ipv4-netmask}
    set unicast-hb-peerip {ipv4-address}
    config unicast-peers
        Description: Number of unicast peers.
        edit <id>
            set peer-ip {ipv4-address}
        next
    end
    set unicast-status [enable|disable]
    set uninterruptible-primary-wait {integer}
    set upgrade-mode [simultaneous|uninterruptible|...]
    config vcluster
        Description: Virtual cluster table.
        edit <vcluster-id>
            set monitor {user}
            set override [enable|disable]
            set override-wait-time {integer}
            set pingserver-failover-threshold {integer}
            set pingserver-flip-timeout {integer}
            set pingserver-monitor-interface {user}
            set pingserver-secondary-force-reset [enable|disable]
            set priority {integer}
            set vdom <name1>, <name2>, ...
        next
    end
    set vcluster-status [enable|disable]
    set weight {user}
end

    config system ha

    Parameter

    Description

    Type

    Size

    Default

    arps

    Number of gratuitous ARPs (1 - 60). Lower to reduce traffic. Higher to reduce failover time.

    integer

    Minimum value: 1 Maximum value: 60

    5

    arps-interval

    Time between gratuitous ARPs (1 - 20 sec). Lower to reduce failover time. Higher to reduce traffic.

    integer

    Minimum value: 1 Maximum value: 20

    8

    authentication

    Enable/disable heartbeat message authentication.

    option

    -

    disable

    Option

    Description

    enable

    Enable heartbeat message authentication.

    disable

    Disable heartbeat message authentication.

    auto-virtual-mac-interface <interface-name>

    The physical interface that will be assigned an auto-generated virtual MAC address.

    Interface name.

    string

    Maximum length: 15

    backup-hbdev <name>

    Backup heartbeat interfaces. Must be the same for all members.

    Interface name.

    string

    Maximum length: 79

    check-secondary-dev-health

    Enable/disable secondary dev health check for session load-balance in HA A-A mode.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    cpu-threshold

    Dynamic weighted load balancing CPU usage weight and high and low thresholds.

    user

    Not Specified

    encryption

    Enable/disable heartbeat message encryption.

    option

    -

    disable

    Option

    Description

    enable

    Enable heartbeat message encryption.

    disable

    Disable heartbeat message encryption.

    evpn-ttl

    HA EVPN FDB TTL on primary box (5 - 3600 sec).

    integer

    Minimum value: 5 Maximum value: 3600

    60

    failover-hold-time

    Time to wait before failover (0 - 300 sec, default = 0), to avoid flip.

    integer

    Minimum value: 0 Maximum value: 300

    0

    ftp-proxy-threshold

    Dynamic weighted load balancing weight and high and low number of FTP proxy sessions.

    user

    Not Specified

    gratuitous-arps

    Enable/disable gratuitous ARPs. Disable if link-failed-signal enabled.

    option

    -

    enable

    Option

    Description

    enable

    Enable gratuitous ARPs.

    disable

    Disable gratuitous ARPs.

    group-id

    HA group ID (0 - 1023; or 0 - 7 when there are more than 2 vclusters). Must be the same for all members.

    integer

    Minimum value: 0 Maximum value: 1023

    0

    group-name

    Cluster group name. Must be the same for all members.

    string

    Maximum length: 32

    ha-direct

    Enable/disable using ha-mgmt interface for syslog, remote authentication (RADIUS), FortiAnalyzer, FortiSandbox, sFlow, and Netflow.

    option

    -

    disable

    Option

    Description

    enable

    Enable using ha-mgmt interface for syslog, remote authentication (RADIUS), FortiAnalyzer, FortiSandbox, sFlow, and Netflow.

    disable

    Disable using ha-mgmt interface for syslog, remote authentication (RADIUS), FortiAnalyzer, FortiSandbox, sFlow, and Netflow.

    ha-eth-type

    HA heartbeat packet Ethertype (4-digit hex).

    string

    Maximum length: 4

    8890

    ha-mgmt-status

    Enable to reserve interfaces to manage individual cluster units.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    ha-uptime-diff-margin

    Normally you would only reduce this value for failover testing.

    integer

    Minimum value: 1 Maximum value: 65535

    300

    hb-interval

    Time between sending heartbeat packets (1 - 20). Increase to reduce false positives.

    integer

    Minimum value: 1 Maximum value: 20

    2

    hb-interval-in-milliseconds

    Units of heartbeat interval time between sending heartbeat packets. Default is 100ms.

    option

    -

    100ms

    Option

    Description

    100ms

    Each heartbeat interval is 100ms.

    10ms

    Each heartbeat interval is 10ms.

    hb-lost-threshold

    Number of lost heartbeats to signal a failure (1 - 60). Increase to reduce false positives.

    integer

    Minimum value: 1 Maximum value: 60

    6 **

    hbdev

    Heartbeat interfaces. Must be the same for all members. Enter <interface> <priority> pairs to specify the priority of each heartbeat interface. Higher priority takes precedence.

    user

    Not Specified

    hc-eth-type

    Transparent mode HA heartbeat packet Ethertype (4-digit hex).

    string

    Maximum length: 4

    8891

    hello-holddown

    Time to wait before changing from hello to work state (5 - 300 sec).

    integer

    Minimum value: 5 Maximum value: 300

    20

    http-proxy-threshold

    Dynamic weighted load balancing weight and high and low number of HTTP proxy sessions.

    user

    Not Specified

    imap-proxy-threshold

    Dynamic weighted load balancing weight and high and low number of IMAP proxy sessions.

    user

    Not Specified

    ipsec-phase2-proposal

    IPsec phase2 proposal.

    option

    -

    Option

    Description

    aes128-sha1

    aes128-sha1

    aes128-sha256

    aes128-sha256

    aes128-sha384

    aes128-sha384

    aes128-sha512

    aes128-sha512

    aes192-sha1

    aes192-sha1

    aes192-sha256

    aes192-sha256

    aes192-sha384

    aes192-sha384

    aes192-sha512

    aes192-sha512

    aes256-sha1

    aes256-sha1

    aes256-sha256

    aes256-sha256

    aes256-sha384

    aes256-sha384

    aes256-sha512

    aes256-sha512

    aes128gcm

    aes128gcm

    aes256gcm

    aes256gcm

    chacha20poly1305

    chacha20poly1305

    key

    Key.

    password

    Not Specified

    l2ep-eth-type

    Telnet session HA heartbeat packet Ethertype (4-digit hex).

    string

    Maximum length: 4

    8893

    link-failed-signal

    Enable to shut down all interfaces for 1 sec after a failover. Use if gratuitous ARPs do not update network.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    load-balance-all

    Enable to load balance TCP sessions. Disable to load balance proxy sessions only.

    option

    -

    disable

    Option

    Description

    enable

    Enable load balance.

    disable

    Disable load balance.

    logical-sn *

    Enable/disable usage of the logical serial number.

    option

    -

    disable

    Option

    Description

    enable

    Enable usage of the logical serial number.

    disable

    Disable usage of the logical serial number.

    memory-based-failover

    Enable/disable memory based failover.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    memory-compatible-mode

    Enable/disable memory compatible mode.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    memory-failover-flip-timeout

    Time to wait between subsequent memory based failovers in minutes (6 - 2147483647, default = 6).

    integer

    Minimum value: 6 Maximum value: 2147483647

    6

    memory-failover-monitor-period

    Duration of high memory usage before memory based failover is triggered in seconds (1 - 300, default = 60).

    integer

    Minimum value: 1 Maximum value: 300

    60

    memory-failover-sample-rate

    Rate at which memory usage is sampled in order to measure memory usage in seconds (1 - 60, default = 1).

    integer

    Minimum value: 1 Maximum value: 60

    1

    memory-failover-threshold

    Memory usage threshold to trigger memory based failover (0 means using conserve mode threshold in system.global).

    integer

    Minimum value: 0 Maximum value: 95

    0

    memory-threshold

    Dynamic weighted load balancing memory usage weight and high and low thresholds.

    user

    Not Specified

    mode

    HA mode. Must be the same for all members. FGSP requires standalone.

    option

    -

    standalone

    Option

    Description

    standalone

    Standalone mode.

    a-a

    Active-active mode.

    a-p

    Active-passive mode.

    monitor

    Interfaces to check for port monitoring (or link failure).

    user

    Not Specified

    multicast-ttl

    HA multicast TTL on primary (5 - 3600 sec).

    integer

    Minimum value: 5 Maximum value: 3600

    600

    nntp-proxy-threshold

    Dynamic weighted load balancing weight and high and low number of NNTP proxy sessions.

    user

    Not Specified

    override

    Enable and increase the priority of the unit that should always be primary (master).

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    override-wait-time

    Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates.

    integer

    Minimum value: 0 Maximum value: 3600

    0

    password

    Cluster password. Must be the same for all members.

    password

    Not Specified

    pingserver-failover-threshold

    Remote IP monitoring failover threshold (0 - 50).

    integer

    Minimum value: 0 Maximum value: 50

    0

    pingserver-flip-timeout

    Time to wait in minutes before renegotiating after a remote IP monitoring failover.

    integer

    Minimum value: 6 Maximum value: 2147483647

    60

    pingserver-monitor-interface

    Interfaces to check for remote IP monitoring.

    user

    Not Specified

    pingserver-secondary-force-reset

    Enable to force the cluster to negotiate after a remote IP monitoring failover.

    option

    -

    enable

    Option

    Description

    enable

    Enable force reset of secondary member after PING server failure.

    disable

    Disable force reset of secondary member after PING server failure.

    pop3-proxy-threshold

    Dynamic weighted load balancing weight and high and low number of POP3 proxy sessions.

    user

    Not Specified

    priority

    Increase the priority to select the primary unit (0 - 255).

    integer

    Minimum value: 0 Maximum value: 255

    128

    route-hold

    Time to wait between routing table updates to the cluster (0 - 3600 sec).

    integer

    Minimum value: 0 Maximum value: 3600

    10

    route-ttl

    TTL for primary unit routes (5 - 3600 sec). Increase to maintain active routes during failover.

    integer

    Minimum value: 5 Maximum value: 3600

    10

    route-wait

    Time to wait before sending new routes to the cluster (0 - 3600 sec).

    integer

    Minimum value: 0 Maximum value: 3600

    0

    schedule

    Type of A-A load balancing. Use none if you have external load balancers.

    option

    -

    round-robin

    Option

    Description

    none

    None.

    leastconnection

    Least connection.

    round-robin

    Round robin.

    weight-round-robin

    Weight round robin.

    random

    Random.

    ip

    IP.

    ipport

    IP port.

    session-pickup

    Enable/disable session pickup. Enabling it can reduce session down time when fail over happens.

    option

    -

    disable

    Option

    Description

    enable

    Enable session pickup.

    disable

    Disable session pickup.

    session-pickup-connectionless

    Enable/disable UDP and ICMP session sync.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    session-pickup-delay

    Enable to sync sessions longer than 30 sec. Only longer lived sessions need to be synced.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    session-pickup-expectation

    Enable/disable session helper expectation session sync for FGSP.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    session-pickup-nat

    Enable/disable NAT session sync for FGSP.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    session-sync-dev

    Offload session-sync process to kernel and sync sessions using connected interface(s) directly.

    user

    Not Specified

    smtp-proxy-threshold

    Dynamic weighted load balancing weight and high and low number of SMTP proxy sessions.

    user

    Not Specified

    ssd-failover *

    Enable/disable automatic HA failover on SSD disk failure.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    standalone-config-sync

    Enable/disable FGSP configuration synchronization.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    standalone-mgmt-vdom

    Enable/disable standalone management VDOM.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    sync-config

    Enable/disable configuration synchronization.

    option

    -

    enable

    Option

    Description

    enable

    Enable configuration synchronization.

    disable

    Disable configuration synchronization.

    sync-packet-balance

    Enable/disable HA packet distribution to multiple CPUs.

    option

    -

    disable

    Option

    Description

    enable

    Enable HA packet distribution to multiple CPUs.

    disable

    Disable HA packet distribution to multiple CPUs.

    unicast-gateway *

    Default route gateway for unicast interface.

    ipv4-address

    Not Specified

    0.0.0.0

    unicast-hb *

    Enable/disable unicast heartbeat.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    unicast-hb-netmask *

    Unicast heartbeat netmask.

    ipv4-netmask

    Not Specified

    0.0.0.0

    unicast-hb-peerip *

    Unicast heartbeat peer IP.

    ipv4-address

    Not Specified

    0.0.0.0

    unicast-status *

    Enable/disable unicast connection.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    uninterruptible-primary-wait

    Number of minutes the primary HA unit waits before the secondary HA unit is considered upgraded and the system is started before starting its own upgrade (15 - 300, default = 30).

    integer

    Minimum value: 15 Maximum value: 300

    30

    upgrade-mode

    The mode to upgrade a cluster.

    option

    -

    uninterruptible

    Option

    Description

    simultaneous

    Upgrade all HA members at the same time.

    uninterruptible

    Upgrade HA cluster without blocking network traffic.

    local-only

    Upgrade local member only.

    secondary-only

    Upgrade secondary member only.

    vcluster-status

    Enable/disable virtual cluster for virtual clustering.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    weight

    Weight-round-robin weight for each cluster unit. Syntax <priority> <weight>.

    user

    Not Specified

    0 40

    * This parameter may not exist in some models.

    ** Values may differ between models.

    config ha-mgmt-interfaces

    Parameter

    Description

    Type

    Size

    Default

    dst

    Default route destination for reserved HA management interface.

    ipv4-classnet

    Not Specified

    0.0.0.0 0.0.0.0

    gateway

    Default route gateway for reserved HA management interface.

    ipv4-address

    Not Specified

    0.0.0.0

    gateway6

    Default IPv6 gateway for reserved HA management interface.

    ipv6-address

    Not Specified

    ::

    id

    Table ID.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    interface

    Interface to reserve for HA management.

    string

    Maximum length: 15

    config unicast-peers

    Parameter

    Description

    Type

    Size

    Default

    id

    Table ID.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    peer-ip

    Unicast peer IP.

    ipv4-address

    Not Specified

    0.0.0.0

    config vcluster

    Parameter

    Description

    Type

    Size

    Default

    monitor

    Interfaces to check for port monitoring (or link failure).

    user

    Not Specified

    override

    Enable and increase the priority of the unit that should always be primary (master).

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    override-wait-time

    Delay negotiating if override is enabled (0 - 3600 sec). Reduces how often the cluster negotiates.

    integer

    Minimum value: 0 Maximum value: 3600

    0

    pingserver-failover-threshold

    Remote IP monitoring failover threshold (0 - 50).

    integer

    Minimum value: 0 Maximum value: 50

    0

    pingserver-flip-timeout

    Time to wait in minutes before renegotiating after a remote IP monitoring failover.

    integer

    Minimum value: 6 Maximum value: 2147483647

    60

    pingserver-monitor-interface

    Interfaces to check for remote IP monitoring.

    user

    Not Specified

    pingserver-secondary-force-reset

    Enable to force the cluster to negotiate after a remote IP monitoring failover.

    option

    -

    enable

    Option

    Description

    enable

    Enable force reset of secondary member after PING server failure.

    disable

    Disable force reset of secondary member after PING server failure.

    priority

    Increase the priority to select the primary unit (0 - 255).

    integer

    Minimum value: 0 Maximum value: 255

    128

    vcluster-id

    ID.

    integer

    Minimum value: 1 Maximum value: 30

    1

    vdom <name>

    Virtual domain(s) in the virtual cluster.

    Virtual domain name.

    string

    Maximum length: 79

    Previous
    Next