This section provides information on how to configure a firewall cluster consisting of a primary device and an auxiliary device. Devices must be physically connected to ensure synchronization (it also helps to detect failed devices), that is, FortiGate devices form a high availability (HA) cluster.

There are two HA configuration modes: active-passive and active-active. HA operating modes define:

  • what is synchronized between devices;
  • whether all FortiGate devices are processing traffic;
  • whether HA improves availability or bandwidth.

This feature can be useful for users for who need high availability of their service.

What is required to create a VPN tunnel on a firewall:

  • the presence of a configured external interface through which the devices will be connected;
  • an internal network;
  • access to the FortiGate web interface.

Learn more in the instruction for enabling the service.


In either of the two HA operating modes, the configuration of the auxiliary FortiGate device is synchronized with the configuration of the primary device. In addition, if a primary device failure occurs, one of the auxiliary devices will take over the role of a primary one to process traffic.

Term Definition
Active-Passive HA mode, in which the primary FortiGate is the only FortiGate device that actively processes traffic. The auxiliary device remains in stand-by mode, ready to take over if a primary device failure occurs. This event is called HA failover
Active-Active HA mode, in which all FortiGate devices process traffic. One of the tasks of the primary FortiGate in this mode is to balance part of the traffic between all auxiliary devices
FGCP (FortiGate Clustering Protocol) The protocol that FortiGate uses to find devices belonging to the same HA group, select a primary device, synchronize configuration and other data, and detect failures
Heartbeat link Physical connections between grouped FortiGates over which FGCP operates. Connections are created using a regular RJ45 cable or a crossover cable

If you have another device between two FortiGate devices, such as a switch, make sure it is dedicated and isolated from the rest of the network. FGCP traffic should not compete with other traffic for bandwidth.

FortiGate devices use Telnet sessions over TCP port 23, with 0x8893 Ethernet type over heartbeat channels, to synchronize the cluster configuration and to connect to the CLI of another FortiGate in the cluster. When you manually restart or shut down the primary FortiGate before the primary FortiGate actually shuts down, it becomes an auxiliary one and waits for traffic to switch to the new primary.

Requirements for HA

  1. A cluster can have from 2 to 4 FortiGate devices with the same parameters:

    • firmware;
    • equipment model and license;
    • HDD capacity and partitions;
    • operation mode (transparent or NAT).

    If one of the FortiGates has a lower level of licensing than other FortiGates in the cluster, then all FortiGates in the cluster will revert to that lower licensing level.

  2. There must be at least one heartbeat connection between FortiGate devices. For redundancy, you can create up to eight heartbeat interfaces. If one connection fails, HA will use the next one in priority and position.

  3. The same interfaces on each FortiGate device must be connected to the same switch or local network segment.

Ordering and Provision of the Service

To create a cluster for FortiGate devices, order the required number of firewalls of the same model in one location, according to the instruction.

If you already use FortiGate firewall at Selectel, it can also be combined with a new one. To do this, create a ticket and specify which devices (neXX numbers) you want to combine into a High Availability (HA) cluster.

Two connections are created between devices by default. If you need a different number, please indicate how many heartbeat connections to create between devices.

After ordering firewalls and their connections, information for accessing the firewalls will be provided in the ticket.

After the cluster organization is finished, you will receive a notification that the switching between the firewalls has been completed, in the response ticket. Then you can start the setup.