Skip to main content
renzanjopcaparas
renzanjopcaparas
Visitor III
April 2, 2026
Question

Proper HA Cluster configuration

  • April 2, 2026
  • 1 reply
  • 588 views

Hi everyone!

 

I've been reading some articles and guides. But I am still not confident with what I have gathered. 

So I would like to kindly ask your experiences on proper setting up of HA for 100F (or any model if applicable)

Long story short we will just reuse 2x 100Fs from one of our site which has been decommissioned to a new existing site. 

 

This is my plan:

 

1. Turn on Firewall-A

2. Factory reset the firewall.

3. Configure management interface IP via CLI

4. Once reachable via GUI, configure the HA (mode, priority, group ID, group name, password, heartbeat interfaces, heartbeat interfaces priority, mgmt interface reservation and gateway)

5. Save, turn off the firewall A.

6. Turn on Firewall-B. Repeat all the steps above.

7. Turn off firewall-B.

8. Connect the HA1 interfaces of the cluster units together

9. Connect the HA2 interfaces of the cluster units together

10. Power on both of the FortiGates

11. configure everything in the cluster as if it is a single FortiGate.

 

This is where I get confused. 

 

In the part where i repeat the steps in firewall-b, do I also set the same management IP for it?

Say for example, 1.1.1.1 is the mgmt ip of Firewall-A, I will do the same in Firewall-B.

 

In the part where i repeat the steps in firewall-b, do I set the lower priority here?

 

Something's not right with my process. Do you guys have any better suggestion to do this way effectively?

 

Regards!

1 reply

AEK
SuperUser
AEK
SuperUser
April 2, 2026

Hi Renzan

 

Here is the official procedure in its simple form.

https://docs.fortinet.com/document/fortigate/7.6.6/administration-guide/900885/ha-active-passive-cluster-setup

 

It doesn't matter if you configure the same management IP or different mgmt IP, since the HA process will make it the same. It means when the HA cluster is built it will remain only one mgmt IP address that is always owned by the active node. Unless you want to have a dedicated mgmt IP for each HA node (usually not needed), but this is another story.

 

The below doc may interest also you to understand the primary unit selection criteria.

https://docs.fortinet.com/document/fortigate/7.6.6/administration-guide/996846/ha-primary-unit-selection-criteria

AEK
renzanjopcaparas
renzanjopcaparasAuthor
Visitor III
April 3, 2026

Thank you very much @AEK , these are very helpful.

Can I do it this way?

- I setup everything in Firewall-A, policies, objects and everything.

- Reset firewall-b and leave it like that for the moment just to make it clean.

 

- Then on the day of actual replacement, i bring up the firewall-B and configure its HA and connect it to HA1 and HA2 of the Firewall-A. 

 

Will Firewall-B automatically sync the config from Firewall-A?

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
April 3, 2026

Of course it would work. But would take some time to sync the entire config from scratch depending of how much config is on A.

Since you seems to be planning to use the mgmt interface with different IPs, if you download the entire config from A and modify those 1) host name, 2) mgmt interface IP, 3) HA priroity, in the config file then upload it to B, it would shorten the sync time if a lot of config is on A. 

By the way, the HA priority is optional if you don't care which would become the primary when an HA event happens and a new primary needs to be elected. 

Toshi

Terms & ConditionsAccessibility statement