Skip to main content
S
skk
New Member
May 11, 2026
Question

Questions about changing ha cluster parameters

  • May 11, 2026
  • 5 replies
  • 91 views
  1. Dear Community,


    I have three question about changing parameters in a production environment ha cluster. This cluster has two hw fortigate on one location, which work nicely. Now I have to add a third one but in this time this should be an another location. So I have to prepare the working cluster to add a far third one.

    1) I would like to make the Ha cluster more latency tolerant. Current config: 
    hb-lost-threshold 3
    hb-interval 2
    hb-interval-in-milliseconds 100ms

    Is it enough to raise only the hb-lost-threshold, or should I change the hs-interval as well?
    And more importantly what should be the changeing sequence of these parameteres? Should be change one parameter at once on the primary and secondary member?

    2) My dedicated hb interfaces direct connected with cable, and set up that the sync packets use this ha intercae. Now I would like to change this that every packets related to ha goes through a switch/vlan.
    So I have to add a new ha interface (port1 through switch) with lower priority than ha interface, change the sync packets source to this port1, and lastly change the ha and port1 priority in order to make the port1 the higer priority. (And maybe disconnect the direct ha cable, before added the third new forigate to the cluster)

    The question here is also, what is the suggested exact procedure to accomplish these steps without to much risk? Is there any drawbacks in these steps? Should all steps make at once on the primary and secondary?

    3) The ha password. Well.. yes.. It is unkown.
    Is there any way to read from a dump (ha encryption/authentication is disabled)
    If I have to change this, the question is again: how to do it in order to avoid cluster split brain?
    Change at once on primary and secondary?

    Any suggestions appreciated!

    Thank you very much!

    Krisztian

5 replies

S
skkAuthor
New Member
May 11, 2026

forgot to mention: fortigate 900g, 7.0.15

fabs-net
fabs-net
Explorer III
May 11, 2026

Hi,

just a quick input regarding 3).

 

It should be possible to copy/paste the whole “config system ha” configuration snipped from one of the existing ha-members to the new device.

In the snippet is the encrypted ha password included which will work usually without any problems on another FGT with the same firmware.
Just take care for the priority parameter in a-p setup.

 

KR

Every packet has a journey.
S
skkAuthor
New Member
May 11, 2026

It is very usefull post! Thank you very much!

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
May 11, 2026

I wouldn't change the threshold but change the interval (increase). The options for milliseconds are 100ms and 10ms. You can't increase.
 

Your plan to add a new secondary hb connection should work fine. But I would just isolate those secondaries first, then change the current hb connections with a switch.
 

You can probably simply copy "config sys ha->show full | grep password" then paste that "set password ENC" command line into the new FGT. But this KB says the existing secondary gets it synced. So you just need to put the same password at the new FGT.
https://community.fortinet.com/fortigate-3/technical-tip-fortigate-ha-password-change-and-re-election-process-179748
 

Toshi

S
skkAuthor
New Member
May 15, 2026

Thank you very much for your answer!

Terms & ConditionsAccessibility statement