FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the case of FortiGate units in an HA cluster exchange information using heartbeat communications. Each FortiGate unit's heartbeat interface is automatically assigned an IP address. This article provides technical information about heartbeat communication.
Scope
FortiGate.
Solution
The FGCP (FortiGate Clustering Protocol) heartbeat operates on TCP port 703. The default time interval between HA heartbeats is 200 ms. The heartbeat IP addresses are assigned based on the serial number of each device. The IP address 169.254.0.1 is assigned to the device with the highest serial number and the IP address 169.254.0.2 is assigned to the second highest serial number and so on.
The IP address assignment remains unchanged during a failover. Regardless of whether a device is acting as the primary or secondary unit. However, changes to heartbeat IP addresses may occur when a FortiGate device joins or leaves the cluster. In such cases, the cluster renegotiates the heartbeat IP assignment, considering the serial number of any newly added device or removing the serial number of a departed device.
Both HA heartbeat and data traffic are supported on the same FortiGate interface. All heartbeat communication takes place on a separate VDOM called vsys_ha. Heartbeat traffic uses a virtual interface called port_ha in the vsys_ha VDOM. Data and heartbeat traffic use the same physical interface, but they are logically separated into separate VDOMs.
These IPs are non-routable and are used for FGCP operations only.
