Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ManpreetSingh
Staff
Staff

Created on ‎08-22-2024 07:23 AM Edited on ‎12-30-2024 12:53 AM By Moderator

Article Id 335371

Technical Tip: How to configure VRRP between two FortiGate A-P HA CLUSTERS

Description This article describes how to configure Virtual Router Redundancy Protocol (VRRP) between two FortiGate Active-Passive (A-P) High Availability (HA) clusters. It explains the concept of VRRP, outlines a typical deployment scenario involving two data centres (DC1 and DC2), and offers step-by-step instructions to set up and verify VRRP on FortiGate devices.
Scope FortiGate.
Solution

VRRP (Virtual Router Redundancy Protocol) makes it possible to configure redundancy between two HA (High Availability) FortiGate clusters. In this setup, VRRP assigns a virtual IP and MAC address shared between master and slave devices. If the master device fails, the slave takes over as the master, ensuring continuity in network traffic.

 

image.png

 

In this scenario, It is required to configure VRRP between two FortiGate HA Clusters.

 

In this configuration, there are two FortiGate HA clusters located at two different data centers (DC1 and DC2). Initially, the DC1 cluster acts as the VRRP master with a priority set to 200, while the DC2 cluster has a priority set to 100 (a higher priority value will become master). If both devices in DC1 fail, or if connectivity to the LAN is lost, the DC2 cluster will take over as the VRRP master and continue forwarding data.

 

Configuration Steps.

Configure VRRP on the DC1 Cluster Primary:

    • Configure VRRP on port3 of the DC1 primary FortiGate.
    • Set the VRRP virtual IP to 192.168.180.254. The secondary HA firewall will automatically sync this configuration.
    • Configure LAN users to use VRRP Virtual IP 192.168.180.254 as the gateway

 

config system interface

    edit "port3"

        set ip 192.168.180.3 255.255.255.0

        set allowaccess https ping

            config vrrp

                edit 1

                    set vrip 192.168.180.254

                    set priority 200

                next

end

 

Similarly, configure VRRP on the DC2 Cluster primary,

 

config system interface

    edit "port3"

        set ip 192.168.180.2 255.255.255.0

        set allowaccess https ping

            config vrrp

                edit 1

                    set vrip 192.168.180.254

                    set priority 100

                next

end

 

Verification:

To verify the VRRP status on the DC1 primary device, use the following command. Here, DC1 shows as the primary unit.

 

get router info vrrp

Interface: port3, primary IP address: 192.168.180.3

  UseVMAC: 0, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0

  HA mode: primary (0:0:4) VRRP master number: 1

  VRID: 1 verion: 2

    vrip: 192.168.180.254, priority: 200 (200,0), state: MASTER

    adv_interval: 1, preempt: 1, ignore_dft: 0 start_time: 3

    master_adv_interval: 100, accept: 1

    vrmac: 00:09:0f:09:01:02

    vrdst:

    vrgrp: 0
3027
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.