FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.


This article provides a methodology for replacing a HA slave unit.


FortiOS v4.3 and above.


When a slave unit is being replaced, it is desirable to not trigger a useless failover and also to ensure that the “unconfigured” new slave does not take the mastership of the cluster and wipe out the configuration.

There are several things to take into account:

1)  Unplug all the old slave cables.

2)  On the master, disable all the monitored interfaces from the HA settings.
config sys ha
     unset monitor

3)  On the master, disable all the monitored interfaces by the ping server settings in HA settings.

conf sys ha
    unset pingserver-monitor-interface

For this last one, make sure to restart the hatalk process:
Execute diag sys top
Spot the hatalk process and its process id.
Then diag sys kill 9 <ha talk pid>

Check the HA status with:

FG1K5D3I15xxxxxx (global) # diag sys ha dump-by vcluster
            HA information.

vcluster_0: start_time=1507822431(2017-10-12 17:33:51), state/o/chg_time=2(work)/3(standby)/1507822276(2017-10-12 17:31:16)        mondev: WAN(prio=50,is_aggr=1,status=1) port37(prio=50,is_aggr=0,status=0)
        'FG1K5D3I13zzzzzz': ha_prio/o=1/1, link_failure=50(old=50), pingsvr_failure=2, flag=0x00000000, uptime/reset_cnt=156/4
        'FG1K5D3I15xxxxxx': ha_prio/o=0/0, link_failure=50(old=50), pingsvr_failure=2, flag=0x00000001, uptime/reset_cnt=0/17

If pingsvr_failure is not 0 it means that there are still some penalties applied for this unit.  Do not plug the new slave unit in this case to avoid wiping out your configuration.

4)  Connect the slave device to the master, on the slave only the HA heartbeat interfaces are connected.

5)  Configure the HA settings on the slave except ones that rely on non existent interfaces.

6)  Let the devices synchronize and check the status with the following command:
diag sys ha status
diag sys ha checksum cluster

During this time, you will be logged out from the slave until it becomes fully synchronized.

7)  When devices are synchronized, configure the remaining HA settings on the slave first:

set monitor "<interface1>" "<interface2>"….
set pingserver-monitor-interface "<pingserver1>" "<pingserver2>"….

Then configure on the master.

8)  Plug the remaining cable on the slave.