Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spathak
Staff
Staff

Created on ‎02-12-2020 01:29 AM Edited on ‎12-10-2025 10:46 PM By Community Manager

Article Id 198142

Technical Tip: How to access secondary unit of HA cluster via CLI

Description


This article describes how to access the secondary unit of the HA cluster via CLI.

Scope


FortiOS v6.2 and above.

Solution


In the HA cluster (Active-Active or Active-Passive) access to both units via CLI is possible.
To access the secondary unit via CLI, refer to the following command:

 

execute ha manage [HA Cluster Index ID] [username]  <----- Where HA Cluster Index ID can be 0 or 1.

 

A further login prompt is presented for the password in the second unit. 

[username]@password: [password]

 

The 'HA Cluster Index ID' can be found using the command below

get system ha status 

 

At the end of the output, it will show the operating cluster ID, which is the HA individual Cluster index ID with the corresponding serial number as shown below

 

HA Health Status: OK
Model: FortiGate-VM64
Mode: HA A-P
Group: 100
Debug: 0
Cluster Uptime: 0 days 365:39:28
Cluster state change time: 2020-03-30 17:18:09

.

.

Primary: Primary , FGVM04TM1xxxx, cluster index = 1
Secondary: Secondary , FGVM04TM1xxxx, cluster index = 0
number of vcluster: 1
vcluster 1: work 169.254.0.2
Primary: FGVM04TM1xxxx, operating cluster index = 0
Secondary: FGVM04TM1xxxx, operating cluster index = 1

 

Another method to retrieve the available units and corresponding indices:

 

execute ha manage ?

 

Example.

 

execute ha manage 1 EXAMPLE                 < ----- 1 is the ID of the secondary unit and EXAMPLE is the admin username.

EXAMPLE@password:                                  < ----- The password entered here will not be visible.

 

Go under Output on Dashboard -> Status -> Active Administrator Sessions.

SampleActiveAdminSession-edited.JPG


If layer 3 unicast is not enabled in the HA setting, the IP address used by each unit to access the other with this method is 169.254.0.1 (primary unit) and 169.254.0.2 (secondary unit) by default

Any system logon event showing 169.254.0.1 and 169.254.0.2 below indicates the admin session was established from the other HA unit with the method described in this article.:

 

date=2025-01-28 time=00:21:03 eventtime=1738023663554439770 tz="+0000" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1738023663" user="admin" ui="ssh(169.254.0.1)" method="ssh" srcip=169.254.0.1 dstip=169.254.0.2 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from ssh(169.254.0.1)"

 

Note:

For versions below v6.2, the command is 'execute ha manage [HA Cluster Index ID]' without username and then a further login prompt is presented for both username and password in the second unit. 

216781
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.