Skip to main content
renzanjopcaparas
renzanjopcaparas
Visitor III
April 30, 2026
Question

Migrating HA setup from 501E to 100F

  • April 30, 2026
  • 4 replies
  • 126 views

Hi everyone!

We current have a HA Setup for FG 501E. 

The physical HA ports are interconnected via switch in between. The switch ports are on the same vlan.

The physical HA port also has an IP Address set with it. Assume 1.1.1.1

 

As I have checked, 100F does not have this single HA port same as 501E. It uses HA1 and HA2.

 

Now I am thinking, to replicate our current setup to this new 100F firewall pair, can I use the same switch interconnectivity for the HA1 and assign an IP Address to the HA1 interface? Can i also leave the HA2 interfaces directly connected (w/out switch) to each firewall?

 

The reason why I want to replicate this is because I have found out that:

  1. The communications between Fortiguard servers and our existing 501E Firewalls are using a security policy; in which the HA IP address (1.1.1.1) was being referenced.

 

Regards,

Renz

 

4 replies

msanjaypadma
Staff
msanjaypadma
Staff
April 30, 2026

Hi ​@renzanjopcaparas ,

As I understand, you are planning a complete migration of the current 501E HA setup to a new 100F FortiGate HA configuration. Please correct me if I am mistaken.

Your inquiry pertains to the additional HA ports on FortiGate 100F and the necessity of connecting each firewall to one another, along with concerns about potential impact on connectivity with the FortiGuard server.


HA ports are dedicated interfaces used for communication between cluster members to ensure continuous network availability. They primarily facilitate heartbeat monitoring to detect failures, configuration synchronization to maintain consistent settings, and session synchronization. For more detailed information, please refer to the following document:

[HA Heartbeat Interface Documentation](https://docs.fortinet.com/document/fortigate/7.6.6/administration-guide/849059)


Regarding your connection method, whether you are connecting the HA interface ports directly between firewalls or via a switch, please note that this does not influence the FortiGuard connection. To reach the FortiGuard server, the firewall selects an IP address based on the lowest or a random index from its configured interfaces.

For further details on how FortiGuard connectivity functions, please review the following resources:

https://community.fortinet.com/fortigate-3/technical-tip-fortiguard-overview-and-troubleshooting-160395
 

In conclusion, connect both HA cables as feasible for you. Afterwards, you can validate the connectivity with the FortiGuard server to ensure proper operation.


If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.

Thanks,
Mayur Padma 

    renzanjopcaparas
    renzanjopcaparasAuthor
    Visitor III
    April 30, 2026

    Hi ​@msanjaypadma Thank you very much! That gave a peace of mind. So I did try to do the 100F Setup where I have assigned the IP to ha1 interface. But there is no switch in between yet. Direct connection only.

    Everything is the same in Active and Standby firewall. But when I try to check the routing entry for the ha1 ip address, they aren’t the same. The output should show “via LAG1.16”

    You may refer to the images attached.

     

    The secondary firewall outputs the expected route. But on the primary, it says directly connected. It’s actually correct because I configured ha1 in primary and it just cascaded the config to secondary.

    One thing that confuses me is that , why different routes when they are just configured the same routing entries?

     

    msanjaypadma
    Staff
    msanjaypadma
    Staff
    April 30, 2026

    Hi ​@renzanjopcaparas ,

    Based on your interface configuration and routing information, there appears to be some confusion.
    Typically, routing details should not be visible expect kernel routes on the secondary(slave) firewall unless there is a split-brain scenario or configured for VDOM-based HA setup. Additionally, it is unclear why an IP address has been assigned to the secondary device. 

    Could you please verify the HA status on both firewalls?

    #get sys status
    #get sys ha status 

    Is that possible you to share HA configuration :
    #show sys ha

    Thanks,
    Mayur Padma

    AEK
    SuperUser
    AEK
    SuperUser
    April 30, 2026

    Hi Renz

    Yes you can do that. Your new setup is correct.

    But what you mean by “HA IP is referenced”? Do you mean FortiGuard is contacted with HA IP as source? In typical setup HA should be in isolated network, not routed, and should not have an IP address at all, except for some special cases. I recommend to fix this issue.

    AEK
    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    April 30, 2026

    I still don’t understand why you configure any IP for routing on HA heartbeat port. It’s just physically connected to the remote end to pass “heartbeat” and config sync, etc. with EthType=0x8890. Obviously it won’t connect to the internet or FTGD or anywhere.

    They automatically assign link-local IP (169.254.x.x/16) to communicate each other. You should leave the interface config blank like this.
     

    config system interface
        edit "ha"
            set vdom "root"
            set type physical
            set snmp-index 36
        next
    end


    Toshi

    renzanjopcaparas
    renzanjopcaparasAuthor
    Visitor III
    May 4, 2026

    Hi ​@AEK  ​@Toshi_Esumi  ​@msanjaypadma ,

     

    Our current 501E has this same ip configuration.

    We have 2 x 501E firewalls with a switch in between. The HA ports of the 501E are connected to a switch. Those HA ports were configured with IP.

    Our current 501e use port 11 and 12 for heartbeat interfaces.

     

    The new 100F firewalls have HA1 and HA2 ports only. So I decided to use HA1 and assign an IP address as well. 

    I just replicated whatever we have in 501E

     

    Below is the 2x 501E config

     

    Both 501E have the same ha IP. 

      msanjaypadma
      Staff
      msanjaypadma
      Staff
      May 4, 2026

      Hi ​@renzanjopcaparas ,


      Its ok as of now if you configured IP address. However still its unclear for my last query. 

      Based on your interface configuration and routing information, there appears to be some confusion. You are able to do routing lookup in secondary device also ! 
      Typically, routing details should not be visible expect kernel routes on the secondary(slave) when firewall in HA setup , unless there is a split-brain scenario or configured for VDOM-based HA setup. Could you confirm this things ?  

      Could you please verify the HA status on both firewalls?

      #get sys status
      #get sys ha status 

      Is that possible you to share HA configuration :
      #show sys ha
      #show router static |  grep -f .193
      #show sys interface LAG1.16

      Since those sections of the routing lookup are hidden, it is not possible to confirm which supernet is being displayed in the routing lookup. However as per understanding /14 subnet it shows in secondary device as per routing lookup (however which is still wrong) and  HA1 interface has more specific subnet example /16 , so ideally it should show as best route. But still my question is how you are able to do routing lookup in secondary firewall ? 
      Just cross verify below things

      Possible reasons that you are able to do routing lookup in Slave device: 

      • The HA setup has not yet been established. (might be both firewall acting as primary), so there will some routing issue
      • Might be HA configured with vdom-based  ?

        Thanks,
        Mayur Padma
        Terms & ConditionsAccessibility statement