Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vrajendran
Staff
Staff

Created on ‎03-30-2016 12:43 AM Edited on ‎06-29-2025 10:30 PM By Moderator

Article Id 196568

Technical Tip: HA override wait timer

Description

 
This article explains the override enable wait timer option to address the issue when the HA override option is enabled on an Active-Passive deployment. During HA failover back the former primary unit will reclaim the primary role and will cause a network interruption.

With this override-wait-timer option configured under the HA setting, it makes the former primary unit wait for a number of seconds before taking back the primary role, this is to ensure that all the sessions and routing tables have been completely synced.
 
The override wait time can only be configured when the HA override is enabled, and it is only activated after a unit boots up. For example, it is not activated after a failover triggered by the monitor interface, or when HA is changed from standalone mode to A-P or A-A mode.
 
Scope
 
FortiGate.


Solution

 
Non-virtual cluster environment.

Configure this option on the primary unit where override is enabled, which has higher priority, for a non-virtual setup, most of the time will be configured on the primary unit.
 
config system ha
    set override-wait-timer <n sec>
end
 
Here is an example of a working HA setting
 
config system ha
    set group-name "HA_cluster"
    set mode a-p
    set hbdev "port27" 100 "port28" 100
    set session-pickup enable
    set override enable              <-- Ensure override is enabled.
    set override-wait-time 120       <--  Enable this command.
    set priority 200
end
 
Virtual cluster environment.
In a virtual cluster environment, some environments require having VDOM running on a passive or secondary unit to make both devices run at the same time, sort of like Active-Active deployment, in the matter of fact is still configured as Active-Passive.

Setting still the same and applied to the device that has higher priority, below is a sample of the setup.

Primary HA setting:
 
config system ha
    set group-name "HA_cluster"
    set mode a-p
    set hbdev "port27" 100 "port28" 100
    set session-pickup enable
    set vcluster2 enable
    set override enable              <--  Ensure override is enabled.
    set override-wait-time 120       <--  override-wait-time.
    set priority 200
        config secondary-vcluster
            set override enable          <--  Ensure override is enabled.
            set priority 100
            set monitor "port9" "port10"
            set vdom "WANFW"
        end
end
 
Secondary HA setting.
 
config system ha
    set group-name "HA_cluster"
    set mode a-p
    set hbdev "port27" 100 "port28" 100
    set session-pickup enable
    set vcluster2 enable
    set override enable               <-- Ensure override is enabled.
    set priority 100
        config secondary-vcluster
            set override enable         <-- Ensure override is enabled.
            set override-wait-time 120  <-- override-wait-time.
            set priority 200
            set monitor "port9" "port10"
            set vdom "WANFW"
        end
end
14647
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.