Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vjoshi_FTNT
Staff
Staff

Created on ‎12-13-2004 12:00 AM Edited on ‎08-07-2025 05:03 AM By Staff & Editor

Article Id 193933

Technical Tip: FortiGate HA and dynamic interface support (DHCP, PPPoE)

Description

 

This article describes how FortiGate works in HA with dynamic interfaces (DHCP, PPPoE).

 

Scope

 

FortiGate.

 

Solution

 

DHCP and PPPOE Support for Active-Passive Mode.

 

Fortinet recommends turning on DHCP or PPPoE to be turned on for an interface after the cluster has been configured.

 

Note: If an interface is configured for DHCP or PPPoE, turning on high availability may result in the interface receiving an incorrect address or not being able to connect to the DHCP or PPPoE server correctly.

 

If any of the FortiGate interfaces have DHCP or PPPoE enabled, HA cannot be enabled or vice versa.

 

Case 1: DHCP is already enabled on the Interface already and to enable HA:

 

From the GUI, when the mode is changed from Standalone to a-p or a-a and select 'Apply', HA mode will switch back to standalone without any error.

 

From CLI, the only mode available under HA is ‘standalone’, which means the HA is not supported.

 

FGT1KD-2# config system ha

FGT1KD-2 (ha) # set mode standalone   

 

The system may run in HA A-A or HA A-P mode only when all interfaces are NOT using DHCP/PPPoE as an addressing mode.

 

Case 2: If the HA is already enabled with a-p or a-a mode and now the mode of the interface is changed from manual to DHCP or PPPoE, the error 'Cannot set mode to DHCP or PPPoE when HA is on' will appear.

 

In HA A-P mode, when the Interface mode is changed from Manual to PPPoE/DHCP, the Interface mode will switch without any error.

 

In HA A-A mode, configuring an interface with mode 'PPPoE' and 'DHCP' is not supported; attempting to change the mode from Manual to PPPoE/DHCP would result in the error 'Cannot set mode to 'PPPoE' while HA is in Active-Active mode'.

 

Error In CLI:

 

set mode pppoe
Cannot set mode to 'PPPoE' when HA is in Active-Active mode
node_check_object fail! for mode pppoe

value parse error before 'pppoe'
Command fail. Return code -217

 

Error In GUI:

 

akileshc_0-1668766502621.png

 

Note: The option to configure it with HA A-A mode will be unavailable.

 

In CLI:

 

#config system ha

(ha) # set mode
standalone Standalone mode.
a-p Active-passive mode.

 

In GUI:

 

akileshc_1-1668767210123.png

 

To perform PPoE debug if the connection is not coming up:

 

diagnose debug reset

diagnose debug disable

diagnose debug app pppoed -1

diagnose debug app ppp -1

diagnose debug enable

 

To stop:

diagnose debug disable

18703
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.