FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ciordan
Staff
Staff
Article Id 197794
Description
If an existing device will be part of a cluster, make sure the heartbeat interface does not have sniffer mode enabled. Add the interface in the HA config is possible but that won’t be used to form a cluster.

Solution
If a port was used in a firewall sniffer config and later added as a heartbeat for an HA solution, that will not send HA control packets.

Example:
#config system ha
    set group-name "fortinet_cluster"
    set mode a-p
    set password test
    set hbdev "port4" 50
    set override enable
end
Below is the status of the cluster. The slave is not discovered:
#get sys ha status
HA Health Status:
    WARNING: FGT3HD*********1 has hbdev down;
Model: FortiGate-300D
Mode: HA A-P
Group: 0
Debug: 0
Cluster Uptime: 0 days 0:1:19
Cluster state change time: 2019-11-07 06:38:25
Master selected using:
    <2019/11/07 06:38:25> FGT3HD*********1                                  <----- is selected as the master because it's the only member in the cluster.
ses_pickup: disable
override: enable
System Usage stats:
    FGT3HD*********1(updated 4 seconds ago):
        sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=26%
HBDEV stats:
    FGT3HD*********1(updated 4 seconds ago):
        port4: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
Master: FGT3HD*********1, FGT3HD*********1, cluster index = 0
number of vcluster: 1
vcluster 1: work 169.***.*.1
Master: FGT3HD*********1, operating cluster index = 0

The config of port4. Notice the ips-sniffer-mode enable setting:
#show sys int port4
    config system interface
     edit "port4"
         set vdom "root"
         set ips-sniffer-mode enable
         set type physical
         set snmp-index 6
     next
 end
Trying to disable will get the following error:
#conf sys interfacee
    edit port4
    set ips-sniffer-mode disable
Cannot change sniff mode when the interface is used by a policy or a zone.
attribute set operator error, -1, discard the setting
Command fail. Return code -1.

Check the firewall sniffer config:
#show firewall sniffer
   
edit 1
        set logtraffic all
        set ipv6 enable
        set non-ip enable
        set interface "port4"
        set application-list-status enable
        set application-list "sniffer-profile"
        set ips-sensor-status enable
        set ips-sensor "sniffer-profile"
        set av-profile-status enable
        set av-profile "sniffer-profile"
        set webfilter-profile-status enable
        set webfilter-profile "sniffer-profile"
    next

Delete the entry which contains the heartbeat port:
#config firewall sniffer
    delete 1
Check the HA status again. The cluster is formed:
#get sys ha status
HA Health Status: OK
Model: FortiGate-300D
Mode: HA A-P
Group: 0
Debug: 0
Cluster Uptime: 0 days 0:15:11
Cluster state change time: 2019-11-07 06:40:01
Master selected using:
    <2019/11/07 06:40:01>FGT3HD*********0                                                      <-----is selected as the master because it has the largest value of override priority.
    <2019/11/07 06:25:02>FGT3HD*********0                                                      <-----is selected as the master because it's the only member in the cluster.
ses_pickup: disable
override: enable
Configuration Status:
    FGT3HD*********0(updated 0 seconds ago): in-sync
    FGT3HD*********1(updated 7 seconds ago): in-sync
System Usage stats:
    FGT3HD*********0(updated 0 seconds ago):
        sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=26%
    FGT3HD*********1(updated 7 seconds ago):
        sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=26%
HBDEV stats:
    FGT3HD*********0(updated 0 seconds ago):
        port4: physical/1000full, up, rx-bytes/packets/dropped/errors=139366/1566/0/0, tx=3922815/2758/0/0
    FGT3HD*********1(updated 7 seconds ago):
        port4: physical/1000full, up, rx-bytes/packets/dropped/errors=75331/187/0/0, tx=11725/53/0/0
Master: FGT3HD*********0, FGT3HD*********0, cluster index = 0
Slave : FGT3HD*********1, FGT3HD*********1, cluster index = 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master: FGT3HD*********0, operating cluster index = 0
Slave : FGT3HD*********1, operating cluster index = 1

Contributors