FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 265887

This article describes how to setup FortiGate-VM A-P HA on AWS within one zone.





  • Assuming that the VPC, Subnets (Subnet Association), Route Table, and Internet Gateway has already been configured and attached to the corresponding Entities.

Refer to the below documents:

Creating a VPC and subnets.

Attaching the new VPC Internet gateway.

Creating routing tables and associate subnets.


Layout :

Port1: External (Public) interface that is connected to the Internet.

Port2: Internal Interface that is connected to the Private network.

Port3: Dedicated HA Heartbeat Interface.

Port4: Dedicated Management Interface. It is not necessary but it allows to connect directly to individual devices in the cluster if the AWS Failover failed for any reason.


Note: To be able to attach at Least 4 Network Interface, the Instances ('VM') size in AWS Must contains at least 4 vCPUs.


Port1 needs to be on the same Subnet.

Port2 needs to be on the same Subnet.

Port3 needs to be on the same Subnet.

Port4 needs to be on the same Subnet.


  • Ensure that two FortiGates exist in the same VPC and AZ. The two FortiGates must also have the same build of FortiOS (FGT_VM64_AWS or FGT_VM64_AWSONDEMAND) installed.
  • If using FGT_VM64_AWS, ensure that both FortiGates have valid licenses.
  • Log in to the AWS management console and navigate to the EC2.

Refer to the below document:

Deploying FortiGate-VM from AWS marketplace.


  • Select 'EC2' followed by 'Instances', and then proceed to 'Launch an Instance'.
  • The EC2 Instance needs to be named, and in this case, the name assigned is 'Primary_Fortigate'.
  • Select the Application and OS Images (Amazon Machine Image) by selecting them.




  • Explore additional AMIs and opt for the FortiGate from the AWS Marketplace AMIs.




  • Select the Fortinet FortiGate (BYOL) next-Generation Firewall (BYOL/'Pay as you go').




  • After selecting the image mentioned above, all the parameters will be displayed as shown below.




  • For the purpose of this demonstration, the c6i.xlarge instance has been automatically chosen, and it is important to ensure the same instance type is selected when configuring the Another Instance, which will serve as the Secondary FortiGate.




  • The Key Pair name is selected appropriately to facilitate Instance management through Putty using the provided credentials. It is worth noting that no Key Pair has been used in this example.




  • Choose the appropriate VPC, which is Fortinet_VPC, and then select the Public Subnet.
  • Disable the Auto-Assign Public IP option since, for this demonstration, it will explicitly provide the Elastic Public IP address.




  • Customize the Security Group based on the network requirements. The Security Group allows to control the incoming and outgoing traffic to and from the EC2 instances. In this example, all traffic is permitted from any source.







Refer to the below document :

Adding network interfaces and elastic IP addresses to the FortiGate-VMs.


  • Launch the EC2 instance.
  • Launch the other EC2 instance following the above steps as for the Primary EC2 instance.
  • To access the FortiGate, select the Primary EC2 Instance and obtain the Public IPv4 address. Open the address in a browser.
  • Once accessed, use 'admin' as the default username and the instance ID as the password, which can be found under the Instance ID by selecting the respective Instance. It will prompt to change the password. Afterward, the License can be uploaded to the FortiGate.
  • Similarly, it is possible to configure the Secondary FortiGate Instance and follow the above steps and upload the License.

The below example demonstrates both the FortiGate Instance state is running and Status check 2/2 checks passed




HA Configuration.

Primary FGT HA configuration:


PrimaryFGT # config system ha

PrimaryFGT (ha) # set mode a-p

PrimaryFGT (ha) # set group-name TAC

PrimaryFGT (ha) # set hbdev port3 50

PrimaryFGT (ha) # set password fortinet

PrimaryFGT (ha) # set session-pickup enable

PrimaryFGT (ha) # set session-pickup-connectionless enable

PrimaryFGT (ha) # set ha-mgmt-status enable

PrimaryFGT (ha) # config ha-mgmt-interfaces

PrimaryFGT (0) # set interface port4 -> (Choose the port accordingly).

PrimaryFGT (0) # set gateway

<class_ip>    Class A,B,C ip

PrimaryFGT (0) # set gateway x.x.x.x

PrimaryFGT (0) # show

config ha-mgmt-interfaces

    edit 1

        set interface "port4"

        set gateway x.x.x.x




PrimaryFGT (0) # end


PrimaryFGT (ha) # set unicast-hb enable

PrimaryFGT (ha) # set unicast-hb-peerip y.y.y.y (It has to be peer FGT heartbeat IP address).

PrimaryFGT (ha) # set priority 200  -> (Priority on the primary should be higher).

PrimaryFGT (ha) # end


Secondary Fortigate HA Configuration :


SecondaryFGT # config system ha

SecondaryFGT (ha) # set mode a-p

SecondaryFGT (ha) # set group-name TAC

SecondaryFGT(ha) # set hbdev port3 50

SecondaryFGT (ha) # set password fortinet

SecondaryFGT(ha) # set session-pickup enable

SecondaryFGT(ha) # set session-pickup-connectionless enable

SecondaryFGT(ha) # set ha-mgmt-status enable

SecondaryFGT(ha) # config ha-mgmt-interfaces

SecondaryFGT (0) # set interface port4 -> (Choose the same port above).

PrimaryFGT (0) # set gateway

<class_ip>    Class A,B,C ip

SecondaryFGT(0) # set gateway x.x.x.x

SecondaryFGT (0) # show

config ha-mgmt-interfaces

    edit 1

        set interface "port4"

        set gateway x.x.x.x




SecondaryFGT (0) # end

SecondaryFGT(ha) # set unicast-hb enable

SecondaryFGT(ha) # set unicast-hb-peerip a.a.a.a (It has to be peer FGT heartbeat IP address).

SecondaryFGT(ha) # set priority 100

SecondaryFGT(ha) # end




FGVM08TM22005241 # diagnose sys ha status

HA information


        traffic.local = s:0 p:76747 b:19422007 = s:0 p:76747 b:19423443

        activity.ha_id_changes = 2

        activity.fdb  = c:0 q:0


Model=80008, Mode=2 Group=0 Debug=0

nvcluster=1, ses_pickup=1, delay=0


[Debug_Zone HA information]

HA group member information: is_manage_primary=1.

FGVM08TM22005241:      Primary, serialno_prio=0, usr_priority=200, hostname=FGVM08TM22005241

FGVM08TM22005240:    Secondary, serialno_prio=1, usr_priority=100, hostname=FGVM08TM22005240


[Kernel HA information]

vcluster 1, state=work, primary_ip=, primary_id=0

FGVM08TM22005241:      Primary, ha_prio/o_ha_prio=0/0

FGVM08TM22005240:    Secondary, ha_prio/o_ha_prio=1/1


FGVM08TM22005241 #


Related document:

Deploying FortiGate-VM A-P HA on AWS within one zone.