Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
esalija
Staff
Staff

Created on ‎07-11-2024 04:55 AM Edited on ‎09-05-2025 06:08 AM By Community Manager

Article Id 325375

Technical Tip: The HA Cluster license requirements

Description This article describes the licenses required to create a correct HA Cluster.
Scope FortiGate.
Solution

The FortiGate HA (High Availability) Cluster requires two sets of licenses, one for each FortiGate unit in the cluster.

This is because the HA Cluster involves two physical (or virtual) FortiGate devices that are configured to work together to provide redundancy in case of a failure of one unit.

The GUI of the Primary device will show the expiration date for the contract that will first expire.

 

Note:

As of v7.2.9, v7.4.6, v7.6.1, and above, FortiGate A-P HA clusters support sharing a single FortiGuard service license for both cluster units for the following models:

  • 40F and variants.

  • 60F and variants.

  • 70F and variants.

  • 80F and variants.

  • 100F and variants.

 

The two FortiGate serial numbers will be linked on FortiCare to generate a single virtual Serial Number (vSN), to which the services will be registered.

 

For more information, refer to the following documents

Single FortiGuard license for FortiGate A-P HA cluster 7.2.9

Single FortiGuard license for FortiGate A-P HA cluster 7.4.6

Single FortiGuard license for FortiGate A-P HA cluster 7.6.1

 

The cluster license can be seen in System -> FortiGuard. No individual license can be viewed when the device is in HA.

 

In the example below, the GUI of the Primary device, FG3H0E1234567XXX, will be showing the expiration dates for the Secondary device FG3H0E1234567YYY, which will be on 2024-07-28.

 

Primary: FG3H0E1234567XXX.


Support Type Support Level Activation Date Expiration Date
Hardware Advanced HW 2022-10-23 2024-10-22
Firmware & General Updates Web/Online 2022-10-23 2024-10-22
Enhanced Support Premium 2022-10-23 2024-10-22
Telephone Support Premium 2022-10-23 2024-10-22
Advanced Malware Protection Web/Online 2022-10-23 2024-10-22
FortiGuard IPS Service Web/Online 2022-10-23 2024-10-22
FortiGuard URL, DNS & Video Filtering Service Web/Online 2022-10-23 2024-10-22
AntiSpam Web/Online 2022-10-23 2024-10-22

 

Secondary: FG3H0E1234567YYY.

 

Support Type Support Level Activation Date Expiration Date
Hardware Advanced HW 2019-01-30 2024-07-28   <------
Firmware & General Updates Web/Online 2019-01-30 2024-07-28 <------
Enhanced Support Premium 2019-01-30 2024-07-28 <------
Telephone Support Premium 2019-01-30 2024-07-28 <------
Advanced Malware Protection Web/Online 2019-01-30 2024-07-28 <------
FortiGuard IPS Service Web/Online 2019-01-30 2024-07-28 <------
FortiGuard URL, DNS & Video Filtering Service Web/Online 2019-01-30 2024-07-28 <------
AntiSpam Web/Online 2019-01-30 2024-07-28 <------

If shutting down the Secondary FortiGate, the Primary FortiGate FG3H0E1234567XXX will show the correct contract for that device.

 

For more information, see the article Troubleshooting Tip: Licenses do not show valid dates in HA

 

Requirements to form an HA cluster:

  • The same model. (When using  FortiGate VMs as cluster members, all VMs must be running on the same platform. For example, a VM running on VMware cannot form a cluster with a VM running on KVM.

  • The same hardware configuration.

  • The same hardware generation. See example: HA unsupported between different FortiGate 90G and 91G series hardware generations.

  • The configured heartbeat ports must be connected (recommended) or to the same broadcast domain (layer 2 in the OSI model).
  • HA group-id and password must match on each device.
  • If in multi-vdom operation mode, both devices must have the required VDOM license for additional VDOMs. See Technical Tip: Maximum VDOM mismatch causes HA split-brain when additional VDOMs are configured.
  • Ensure that all FortiGate cluster members are registered under a single account.
  • In case of a single FortiGuard license for HA using a Virtual Serial Number(vSN), the following settings should be enabled under HA config.


config system ha
    set logical-sn enable
end

 

If the cluster does not form, see v7.6.2 Administration Guide | Troubleshoot an HA formation

Requirements for correct cluster operation, including configuration sync and licensing:

  • Connections should be the same (Some deployments use 'cold-swap' where the secondary cluster device has fewer connections, the HA monitored interface is in use, and failover is done manually by physically moving the connection to the new primary device. However, this is not recommended, and HA heartbeat cables must remain connected at a minimum.
  • Both devices must have the same firmware version. Configuration cannot sync if they have different firmware versions.
  • The operating mode (System) should be the same (NAT or transparent mode).
  • Since February 2025, both units must be registered under the same FortiCloud account. If they are not, the cluster will show as unlicensed. See the articles Troubleshooting Tip: License not updating when FortiGate on HA have Different Account Registration and FGCP

 

To troubleshoot HA licensing issues, see Troubleshooting Tip: License/Subscription fail to update

To troubleshoot HA configuration sync issues, see Troubleshooting Tip: How to troubleshoot HA synchronization issue using GUI and CLI on FortiGate/For...

 

Related article

Technical Tip: Additional Info regarding Single FortiGuard license for FortiGate A-P HA cluster feat...
14910
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.