Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kcheng
Staff
Staff

Created on ‎07-01-2021 12:02 AM Edited on ‎11-11-2024 11:59 PM By Moderator

Article Id 195019

Technical Tip: FortiGate HA failover due to memory utilization

Description

 

This article describes how to configure and validate HA failover due to memory utilization.

The new feature is included in FortiOS 7.0.0 onward and 7.2.0 onward (but not available in 6.4.x) to allow HA failover due to memory utilization.

In the scenario where the existing master’s memory utilization exceeds the threshold configured by the administrator for a specific amount of time.

Note:
The value used is a demonstration purpose, a higher threshold shall be configured in a production environment to prevent frequent failover of the HA master.

 

Important :

Override must be disabled on BOTH Primary and Secondary. Otherwise, there will be another failover immediately based on priority and the old primary will become master again with high memory usage:

Primary unit selection with override enabled.

 

Scope

 

FortiGate.

Solution


Initial Configuration.

In the existing environment, an HA pair with an A-P setup is configured with FortiOS 7.0.0. As visible from the following print screen, FortiGate with hostname Kancil-kvm39 is selected as the master as it was configured with higher priority:

 
The current memory utilization of the FortiGate where the Primary FortiGate is currently had memory utilization of 64% and slave unit on 49%.
 
Testing.

To demonstrate memory-based failover based on this scenario, the following parameters are used for testing purposes:
 
config system ha
    set memory-based-failover enable
    set memory-failover-threshold 62 <-- The memory usage threshold to trigger a memory-based failover, in percentage (0 - 95, 0 = use the conserve mode threshold, default = 0).
    set memory-failover-monitor-period 300
    set memory-failover-sample-rate 1
    set memory-failover-flip-timeout 6
end
 
Once the above is configured, HA failover due to memory utilization is appropriately configured.
The commands above will trigger failover when the memory usage on the Primary unit exceeds 62% for 300 seconds (5 minutes).
If the memory usage on the Kancil-kvm39 goes below 62%, while memory utilization on Iriz-kvm58 rises above 62%, a second failover will occur.
 
However, the failover due to memory utilization will occur only after the timeout period that was set in memory-failover-flip-timeout. In this example, a second failover will only occur after 6 minutes from the first memory-based failover.

If both FortiGates memory utilization is above the threshold (62% in this example), no failover will be triggered.

Verification.

To verify that memory-based HA failover is working, turn on the debug message for hatalk with the following command:
 
diagnose debug application hatalk -1
diagnose debug enable <-- A message indicating that mem-failover-flag changed will be shown in the debug messages:
 

Login into the FortiGate and notice that the failover secondary appears:
 
Labels:
11455
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.