Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
SivaS
Staff
Staff

Created on ‎11-20-2025 01:37 AM Edited on ‎11-20-2025 01:35 PM By Moderator

Article Id 415084

Technical Tip: Information about the protocols and ports used in FortiGate high availability

Description This article describes the information about the protocols and ports used in FortiGate high availability.
Scope FortiGate.
Solution

When deploying FortiGate High Availability (HA), it is essential to understand the protocols and ports used for communication between cluster members.

 

This ensures proper network design, firewall rule configuration, and helps with troubleshooting High Availability synchronization or failover issues.

 

FortiGate High Availability (FGCP) uses a combination of Layer 2 EtherType packets, TCP/UDP services, and ESP encapsulation to synchronize configuration, sessions, and control information between the primary and secondary units in the cluster.

 

Port / EtherType Protocol / Traffic Function Notes

TCP/703

UDP/703

 FGCP HA Synchronization (Cluster control and management) Primary control channel between HA members. Handles role negotiation and failover logic.
EtherType 0x8890 FGCP / FGSP Heartbeat (NAT Mode) Layer-2 heartbeat messages are exchanged between HA peers to detect health and status.
EtherType 0x8891 FGCP

Heartbeat (Transparent Mode),  Traffic redistribution from primary to subordinate

 

 Used in Active-Active HA to redirect traffic between primary and subordinate units.
EtherType 0x8892 FGCP / FGSP Session synchronization Session sync over HA link when session-sync-dev is configured.
EtherType 0x8893 FGCP / FGSP Configuration synchronization,
HA telnet sessions		 Syncs configuration when session-sync-dev is not used.
UDP/708 FGCP / FGSP Session and configuration synchronization Used for session sync over routed networks (L3). Encapsulates sync traffic instead of using EtherType.
TCP/23 FGSP (fallback) Legacy heartbeat Used only in special or fallback scenarios.
ESP (IPsec) FGCP / FGSP Encrypted heartbeat and sync Used to securely transport HA traffic over routed or untrusted networks (AES-128 + SHA-1).
UDP/730 FGCP Unicast Heartbeat for Azure

Specific to Microsoft Azure deployments for reliable unicast heartbeat in virtual networks.

  

Notes

  • EtherType packets (0x8890–0x8893) are sent over the dedicated HA link between FortiGates.
  • All session synchronization traffic uses UDP/708 between the primary and subordinate units, encapsulated with 0x8892 when session-sync-dev is configured or 0x8893 over the heartbeat interface when it is not.
  • Active-Active HA specifically relies on 0x8891 to distribute sessions to subordinate units.
  • The ESP-encapsulated heartbeat improves security by encrypting and authenticating HA control traffic.
Labels:
107
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.