Description
This article describes how to reboot only the secondary firewall unit in an HA cluster without interrupting services in the primary device.
Scope
FortiOS.
Solution
Run the following command on the primary FortiGate to identify the HA cluster members, their roles, and index ID:
Primary (global) # get system ha status
HA Health Status: OK
Model: FortiGate-VM64
Mode: HA A-P
Group: 100
Debug: 0
Cluster Uptime: 0 days 0:39:28
Cluster state change time: 2025-10-23 08:18:09
Primary selected using:
<2025/10/23 08:18:09> FGVM04TM19-----3 is selected as the primary because it has the largest value of uptime.
<2025/10/23 08:15:46> FGVM04TM19-----4 is selected as the primary because it has the largest value of uptime.
<2025/10/23 07:39:47> FGVM04TM19-----3 is selected as the primary because it has the largest value of override priority.
<2025/10/23 07:39:00> FGVM04TM19-----3 is selected as the primary because it's the only member in the cluster.
ses_pickup: enable, ses_pickup_delay=disable
override: enable
Configuration Status:
FGVM04TM19-----3(updated 4 seconds ago): in-sync
FGVM04TM19-----4(updated 2 seconds ago): in-sync
System Usage stats:
FGVM04TM19-----3(updated 4 seconds ago):
sessions=25, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=63%
FGVM04TM19-----4(updated 2 seconds ago):
sessions=16, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=61%
HBDEV stats:
FGVM04TM19-----3(updated 4 seconds ago):
port10: physical/10000full, up, rx-bytes/packets/dropped/errors=8409460/31503/0/0, tx=35385838/37462/0/0
FGVM04TM19-----4(updated 2 seconds ago):
port10: physical/10000full, up, rx-bytes/packets/dropped/errors=33122327/35969/0/0, tx=8409529/31458/0/0
MONDEV stats:
FGVM04TM19-----3(updated 4 seconds ago):
port3: physical/10000full, up, rx-bytes/packets/dropped/errors=10471996/40295/0/0, tx=840/14/0/0
FGVM04TM19-----4(updated 2 seconds ago):
port3: physical/10000full, up, rx-bytes/packets/dropped/errors=4344523/15513/0/0, tx=360/6/0/0
Primary: Primary , FGVM04TM19-----3, cluster index = 0
Secondary: Secondary , FGVM04TM19-----4, cluster index = 1
number of vcluster: 1
vcluster 1: work 169.254.0.2
Primary: FGVM04TM19-----3, operating cluster index = 0
Secondary: FGVM04TM19-----4, operating cluster index = 1
Login to the secondary FortiGate via SSH/Console on the primary FortiGate.
execute ha manage <index-ID> <admin-username>
After logging in to the secondary FortiGate, run 'execute reboot'.
In this case, there will be no interruption in traffic since all of the traffic will be flowing from the primary FortiGate and only the secondary FortiGate will be rebooted.
For example:
Primary # execute ha manage 0 admin <- Log in to the slave firewall via SSH.
Warning: Permanently added '169.254.0.1' (ED25519) to the list of known hosts.
Secondary # execute reboot <- Logging in to the secondary firewall succeeded. Run the reboot command now.
This operation will reboot the system !
Do you want to continue? (y/n)y
System is rebooting...
System Event logs in the secondary Firewall:
To shut down each FortiGate in an HA cluster using the GUI when a management interface reservation has been set up, follow the steps below:
- Access and log into the secondary FortiGate using the GUI (make sure to do this step on the secondary unit at first).
- In the upper right corner, select the administrator account currently logged in (in this case, it is admin).
- Select 'system' and 'shut down' as shown in the following screenshot:
- Wait for the active unit to shut down completely.
- Log in to the FortiGate GUI of the primary unit.
- Repeat the same steps as shown in the following screenshot:
Note: Shutting down both units from the GUI requires having a management interface reservation set up on both units.
Related article:
Technical Tip: How to verify HA cluster members individual uptime
