FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 196781


This article explains how to configure VRRP between a FortiGate unit and a Cisco router.


FortiOS firmware version 4.0 MR3
FortiOS firmware version 5.0.x


VRRP can only be configured in the CLI.
FortiGate configuration:
config system interface 
  edit "port1"
        set vdom "root"
        set ip
        set allowaccess ping ssh http
        set type physical
        set vrrp-virtual-mac enable
            config vrrp

                edit 40
                    set vrip

Cisco router configuration:
Note: For an authoritative guidance on configuration of a Cisco equipment, please refer to the product documentation of that equipment. Please note, that Fortinet Technical Support can not provide any assistance with configuration, operation and troubleshooting of a 3rd party equipment.
interface FastEthernet0/0
 ip address
 duplex auto
 speed auto
 vrrp 40 ip

When configuring VRRP, it is important to ensure Group-IDs are the same.  In the FortiGate configuration, this is the “edit 40” settings.  It is the same Group-ID, configured on the Cisco router as “vrrp 40 ip…”.  If these values do not match, VRRP will not negotiate correctly.
It is also important to ensure the following command is issued on the FortiGate network interface. This enables the VRRP virtual MAC address between the two devices:
set vrrp-virtual-mac enable
The following debug command will show the error below, when the Group-IDs do not match.
diagnose debug application vrrpd -1
[vrrp_vrt_leave_master:995]: internal, vrid 40, vrip, (255 1 1)
[vrrp_vrt_goto_master:963]: internal, vrid 40, vrip, (255 1 1)
[vrrp_packet_proc:1411]: cannot find vrt (11, 39)
[vrrp_packet_proc:1411]: cannot find vrt (11, 39)
[vrrp_packet_proc:1411]: cannot find vrt (11, 39) 
   <- Group-ID 39 is misconfigured on the router

Other related commands:
This monitors a next hop address. Should this monitoring fail, the FortiGate unit will go into a Backup State. This is similar to the track function on a Cisco router.
config vrrp
     edit 40
         set vrdst <ip address>
VRRP “preempt” and “priority” are also available:
config vrrp
        edit 40
            set preempt  <enable/disable>   (enabled is the default)
            set priority <1-255>           
(100 is the default)
To display the VRRP configuration and status:
get router info vrrp
Interface: internal, primary IP address:
  UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0
  VRID: 40
    vrip:, priority: 255, state: MASTER
    adv_interval: 1, preempt: 1, start_time: 3

For more details on the VRRP configuration options, please refer to the FortiOS CLI Reference guide.