Skip to main content
beingarif
beingarif
Explorer III
November 5, 2025
Solved

FortiSIEM 7.4.2 HA V3: How to Manage Central Access Without VIP?

  • November 5, 2025
  • 1 reply
  • 343 views

Hi Community,

I recently upgraded my FortiSIEM deployment from version 7.4.0 to 7.4.2. In 7.4.0, I was using Automated HA (HA V2) with a Virtual IP (VIP) setup, which allowed customers to access the system via a common IP address. This made centralized access and management straightforward.

However, after upgrading to 7.4.2, I noticed that VIP is no longer available as part of the HA configuration. I understand that HA V3, introduced in 7.4.1, improves upon HA V2 and eliminates the need for VIP or DNS configuration.

My questions are:

  1. How can I now provide a centralized access point for customers without VIP?
  2. What is the recommended approach to make this understandable and seamless for customers, especially those used to accessing the system via a single IP?
  3. Is there any best practice or workaround to simulate the previous VIP behavior in HA V3?

Any guidance or shared experience would be greatly appreciated!

@Secusaurus @Anthony_E can you please help here.

Regards,
Arif

    Best answer by Secusaurus

    Hi @beingarif,

     

    The previous "issue" was, that having a shared virtual IP across all Supervisors meant you are required to have a layer-2 network between all of them. This does not scale across datacenters, as they are usually layer-3-connections (different subnets).

    On the other hand, if you enable this functionality, a shared virtual IP is not just "not required", but simply not possible. A router would not expect the same Ip in different subnets.

     

    So, what you need for your deployment now, is a load balancer in front, which manages a virtual IP (usually a public IP) and DNATs it to the IP of the currently active Supervisor. I am pretty sure that there is a solution for a common loadbalancer to find out the current master (if required at all?).

    I must admit that, in our production setups, we don't use top-of-the-edge releases, so I cannot share real-life experience with you about that.

     

    Best,

    Christian

    1 reply

    Secusaurus
    SecusaurusAnswer
    Contributor III
    November 5, 2025

    Hi @beingarif,

     

    The previous "issue" was, that having a shared virtual IP across all Supervisors meant you are required to have a layer-2 network between all of them. This does not scale across datacenters, as they are usually layer-3-connections (different subnets).

    On the other hand, if you enable this functionality, a shared virtual IP is not just "not required", but simply not possible. A router would not expect the same Ip in different subnets.

     

    So, what you need for your deployment now, is a load balancer in front, which manages a virtual IP (usually a public IP) and DNATs it to the IP of the currently active Supervisor. I am pretty sure that there is a solution for a common loadbalancer to find out the current master (if required at all?).

    I must admit that, in our production setups, we don't use top-of-the-edge releases, so I cannot share real-life experience with you about that.

     

    Best,

    Christian

    NSE8 | Fortinet Advanced MSSP Partner
      beingarif
      beingarifAuthor
      Explorer III
      November 5, 2025

      Thank you for clarifying, Christian.

      Terms & ConditionsAccessibility statement