The FortiGate HA (High Availability) Cluster requires two sets of licenses, one for each FortiGate unit in the cluster.

This is because the HA Cluster involves two physical (or virtual) FortiGate devices that are configured to work together to provide redundancy in case of a failure of one unit.

The GUI of the Primary device will show the expiration date for the contract that will first expire.

Note:

As of v7.2.9, v7.4.6, v7.6.1, and above, FortiGate A-P HA clusters support sharing a single FortiGuard service license for both cluster units for the following models:

• 40F and variants.

• 60F and variants.

• 70F and variants.

• 80F and variants.

• 100F and variants.

The two FortiGate serial numbers will be linked on FortiCare to generate a single virtual Serial Number (vSN), to which the services will be registered.

For more information, refer to the following documents: 

Single FortiGuard license for FortiGate A-P HA cluster 7.2.9

Single FortiGuard license for FortiGate A-P HA cluster 7.4.6

Single FortiGuard license for FortiGate A-P HA cluster 7.6.1

The cluster license can be seen in System -> FortiGuard. No individual license can be viewed when the device is in HA.

In the example below, the GUI of the Primary device, FG3H0E1234567XXX, will be showing the expiration dates for the Secondary device FG3H0E1234567YYY, which will be on 2024-07-28.

Primary: FG3H0E1234567XXX.

Support Type Support Level Activation Date Expiration Date
Hardware Advanced HW 2022-10-23 2024-10-22
Firmware & General Updates Web/Online 2022-10-23 2024-10-22
Enhanced Support Premium 2022-10-23 2024-10-22
Telephone Support Premium 2022-10-23 2024-10-22
Advanced Malware Protection Web/Online 2022-10-23 2024-10-22
FortiGuard IPS Service Web/Online 2022-10-23 2024-10-22
FortiGuard URL, DNS & Video Filtering Service Web/Online 2022-10-23 2024-10-22
AntiSpam Web/Online 2022-10-23 2024-10-22

Secondary: FG3H0E1234567YYY.

Support Type Support Level Activation Date Expiration Date
Hardware Advanced HW 2019-01-30 2024-07-28   <------
Firmware & General Updates Web/Online 2019-01-30 2024-07-28 <------
Enhanced Support Premium 2019-01-30 2024-07-28 <------
Telephone Support Premium 2019-01-30 2024-07-28 <------
Advanced Malware Protection Web/Online 2019-01-30 2024-07-28 <------
FortiGuard IPS Service Web/Online 2019-01-30 2024-07-28 <------
FortiGuard URL, DNS & Video Filtering Service Web/Online 2019-01-30 2024-07-28 <------
AntiSpam Web/Online 2019-01-30 2024-07-28 <------

If shutting down the Secondary FortiGate, the Primary FortiGate FG3H0E1234567XXX will show the correct contract for that device.

For more information, see the article Troubleshooting Tip: Licenses do not show valid dates in HA

Requirements to form an HA cluster:

• The same model. When using  FortiGate VMs as cluster members, all VMs must be running on the same platform. For example, a VM running on VMware cannot form a cluster with a VM running on KVM.

• The same hardware configuration.

• The same hardware generation. See example: HA unsupported between different FortiGate 90G and 91G series hardware generations.

• The configured heartbeat ports must be connected (recommended) or to the same broadcast domain (layer 2 in the OSI model).
• HA group-id and password must match on each device.
• If in multi-VDOM operation mode, both devices must have the required VDOM license for additional VDOMs. See Technical Tip: Maximum VDOM mismatch causes HA split-brain when additional VDOMs are configured.
• Ensure that all FortiGate cluster members are registered under same account.
• In case of a single FortiGuard license for HA using a Virtual Serial Number(vSN), the following settings should be enabled under HA config.

config system ha
    set logical-sn enable
end

If the above setting is not enabled in the FortiGate, then below error is seen in the debug when a manual update is performed, and the licenses will be shown as unlicensed, and the firewall will keep asking to register with FortiCare.

upd_status_extract_contract_info[1277]-Extracting contract...(SerialNumber=FG101FTKXXXXXXXX|PendingRegistration=1|)
upd_status_extract_contract_info[1334]-pending registration(1) support acct() company() industry()
upd_status_extract_contract_info[1342]-valid contract percent=0%

If the cluster does not form, see this document: Troubleshoot an HA formation.

Requirements for correct cluster operation, including configuration sync and licensing:

• Connections should be the same (Some deployments use 'cold-swap' where the secondary cluster device has fewer connections, the HA monitored interface (HA primary unit selection criteria) is in use, and failover is done manually by physically moving the connection to the new primary device. However, this is not recommended, and HA heartbeat cables must remain connected at a minimum.
• Both devices must have the same firmware version. Configuration cannot sync if they have different firmware versions.
• The operating mode (System) should be the same (NAT or transparent mode).
• Since February 2025, both units must be registered under the same FortiCloud account. If they are not, the cluster will show as unlicensed. See the articles Troubleshooting Tip: License not updating when FortiGate on HA have Different Account Registration and FGCP.

To troubleshoot HA licensing issues, see Troubleshooting Tip: License/Subscription fail to update

To troubleshoot HA configuration sync issues, see Troubleshooting Tip: How to troubleshoot HA synchronization issue using GUI and CLI on FortiGate/For...

Related article: 

Technical Tip: Additional Info regarding Single FortiGuard license for FortiGate A-P HA cluster feat...