| Description | This article describes some technical considerations when FortiGate devices in an HA Cluster, Active-Passive mode, after a failover continue to load the secondary unit which previously was the primary. | |||||||||||||||
| Scope | FortiGate, H-A. | |||||||||||||||
| Solution |
This is the description of the reason for this unexpected behavior that is not an issue. The following network diagram is used to illustrate this article :
The reason is linked to the firewall policy in proxy mode. The unit that starts the analysis needs to collect the entire file transported over the HTTPS session before giving a security verdict.
For this reason, the unit needs to analyze the file till the end of the session, even after a failover. Once the session is finished its traffic is not processed anymore by the secondary unit. All the sessions started after the failover will be processed by the new primary unit. After a certain time, the secondary unit stops being loaded.
Session on both units:
The primary and the secondary comparisons show the details of this behavior. The unit that created the session when it was primarily marked it as 'synced', and the unit which received the session after a HA sync action reported it as 'syn_ses'.
Both units report active traffic for the related flows. The actual primary forwards the packets without analyzing them and for this reason, it can offload the traffic. The secondary receives the packets and needs to send them to the antivirus profile, which is the reason why it cannot offload the traffic. |
Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: FortiGate HA A-P (Active-Passive) c...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.