When FortiGate is on a VRRP cluster with another FortiGate (or other device that supports VRRP) it means the DHCP is enabled on both devices. During the event of VRRP failover, there is a chance that the standby VRRP device will lease an overlapping IPv4 address when the standby becomes active.

The ideal setup in a VRRP environment is to have a separate and dedicated DHCP server as layer2 devices can detect multiple DHCP servers in the same network since the DHCP on both devices is independent.

If there is no dedicated DHCP server, it is possible to split the DHCP server pool on both FortiGates to avoid leasing overlapping IPv4 addresses in the event of VRRP failover.

From GUI:

• FortiGate A:

• FortiGate-B:

• From CLI:

FortiGate-A # show system dhcp server
    config system dhcp server
        edit 1
            set dns-service default
            set default-gateway 192.168.1.3 <----- VRRP gateway IP.
            set netmask 255.255.255.0
            set interface "port2"
                config ip-range
                    edit 1
                        set start-ip 192.168.1.2
                        set end-ip 192.168.1.127
                    next
                end
            next
        end

FortiGate-B # show system dhcp server
    config system dhcp server
        edit 1
            set dns-service default
            set default-gateway 192.168.1.3 <----- VRRP gateway IP.
            set netmask 255.255.255.0
            set interface "port2"
                config ip-range
                    edit 1
                        set start-ip 192.168.1.128
                        set end-ip 192.168.1.254
                    next
                end