Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Shilpa1
Staff
Staff

Created on ‎03-20-2023 11:00 PM Edited on ‎11-13-2024 10:14 PM By Community Manager

Article Id 249745

Technical Tip: FortiGate HA Primary unit selection process when override is disabled vs enabled

Description

This article describes the criteria for selecting the primary unit in a FortiGate High Availability (HA) cluster, depending on whether the override feature is enabled or disabled. 

The criteria include the number of operationally UP Monitored interfaces, HA uptime, priority, and serial number of the devices.
Scope FortiGate.
Solution

Confirm whether the override is enabled using the following commands:

 

show system ha

 

HA.jpg

 

Primary unit selection criteria when override is disabled (MUPS):

  1. The device that has a higher number of operationally UP Monitored interfaces (M).
  2. The device that has the highest HA Uptime, not the unit uptime (U).
  3.  The device which has the highest Priority (P).
  4. Device which has the highest Serial Number (S).

 

Additional note:

If the HA uptime difference between the two units is less than 5 minutes (300 seconds), then Priority will be considered as per the 4th point below. This would usually happen during HA cluster firmware upgrade if an upgrade between clusters happens in less than 5 minutes, then Primary will be selected based on the highest Priority.

 

To check the HA cluster members uptime:

Technical Tip: How to verify HA cluster members individual uptime 

 

Some points to remember about primary unit selection:

  • The FGCP compares primary unit selection criteria in the following order: Failed Monitored interfaces -> Age -> Device Priority -> Serial number. The selection process stops at the first criteria that select one cluster unit.
  • Negotiation and primary unit selection are triggered if a cluster unit fails or if a monitored interface fails.
  • If the HA age difference is more than 5 minutes (300 seconds), the cluster unit that is operating longer becomes the primary unit.
  • If the HA age difference is less than 5 minutes (300 seconds), the device priority will be checked first. If the priority value is the same on both devices, the FortiGate will select based on serial number to become the primary unit.
  • Every time a monitored interface fails, the HA age of the cluster unit is reset to 0.
  • Every time a cluster unit restarts, the HA age of the cluster unit is reset to 0.

 

Primary unit selection criteria when override is enabled (MPUS):

  1. The device that has a higher number of operationally UP Monitored interfaces (M).
  2.  The device that has the highest Priority (P).
  3. A device that has the highest HA Uptime, not the unit uptime (U)
  4. The device that has the highest Serial Number (S).

 

Related articles:

Primary unit selection with override disabled (default)

Primary unit selection with override enabled
Labels:
42472
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.