FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 192732
This article describes best practices for Heartbeat interfaces in FGCP high availability.

Fortinet suggests the following practices related to heartbeat interfaces:

- Configure at least two heartbeat interfaces and set these interfaces to have different priorities. For example;
# config system ha
    set hbdev "ha" 150 "mgmt" 100
- For clusters of two FortiGate units, as much as possible, heartbeat interfaces have to be directly connected using patch cables (without involving other network equipment such as switches).
If switches have to be used, do not use it for other network traffic that can flood the switches and cause heartbeat delays.

- If it is not possible to use a dedicated switch, the use of a dedicated VLAN can help limit the broadcast domain to protect the heartbeat traffic and the bandwidth it creates.
- For clusters of three or four FortiGates, use switches to connect heartbeat interfaces. The corresponding heartbeat interface of each FortiGate in the cluster has to be connected to the same switch. To improve redundancy, use a different switch for each heartbeat interface. In that way, if the switch connecting one of the heartbeat interfaces fails or is unplugged, heartbeat traffic can continue on the other heartbeat interfaces and switch.
- Isolate heartbeat interfaces from user networks. Heartbeat packets contain sensitive cluster configuration information and can consume a considerable amount of network bandwidth. If the cluster consists of two FortiGates, connect the heartbeat interfaces directly using a crossover cable or a regular Ethernet cable. For clusters with more than two units, connect heartbeat interfaces to a separate switch that is not connected to any network.
- If heartbeat traffic cannot be isolated from user networks, enable heartbeat message encryption and authentication to protect cluster information. Both are disabled by default.
# config system ha
    set encryption {enable | disable}        <----- Enable/disable heartbeat message encryption.
    set authentication {enable | disable}    <----- Enable/disable heartbeat message authentication.
- Configure and connect redundant heartbeat interfaces so that if one heartbeat interface fails or becomes disconnected, HA heartbeat traffic can continue to be transmitted using the backup heartbeat interface.
If heartbeat communication fails, all cluster members will think there are the primary unit resulting in multiple units on the network with the same IP addresses and MAC addresses (condition referred to as Split Brain) and communication will be disrupted until heartbeat communication can be reestablished.

- Do not monitor dedicated heartbeat interfaces; monitor those interfaces whose failure should trigger a unit failover.
- Where possible at least one heartbeat interface should not be connected to an NP4 or NP6 processor to avoid NP4 or NP6-related problems from affecting heartbeat traffic.
- Where possible, the heartbeat interfaces should not be connected to an NP4 or NP6 processor that is also processing network traffic.
- Where possible, each heartbeat interface should be connected to a different NP4 or NP6 processor.
- Any FortiGate interface can be used as a heartbeat interface including 10/100/1000Base-T, SFP, QSFP fiber and copper, and so on. If two or more interfaces are set up as heartbeat interfaces, each interface can be a different type and speed.

Do not use a FortiGate switch port for the HA heartbeat traffic.
If no HA interface is available, convert a switch port to an individual interface.

Related documents.

Related Articles

Technical Tip: Changing the HA heartbeat timers to prevent false fail over