Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
amrit
Staff & Editor
Staff & Editor

Created on ‎02-28-2025 12:49 AM Edited on ‎02-28-2025 06:23 AM By Moderator

Article Id 379463

Technical Tip: Understanding hardware switch and port group behavior in FortiGate HA cluster

Description This article describes the HW switch and port group behavior in HA active-passive setup.
Scope FortiGate.
Solution

Generally, in an HA active-passive cluster, the FortiGate secondary unit does not respond to the ARP requests, and it cannot participate in active communication. Only the primary unit responds with the virtual MAC address. 

Traffic Handling and Failover with HW switch:

  • The hardware switch interface on both units uses the same MAC address. This ensures that communication between devices connected to the switch remains uninterrupted, even if the active unit changes.
  • Devices connected to the switch, regardless of whether they are attached to the primary or secondary unit, can still talk to each other. If the primary unit fails, the secondary unit will automatically take over, and communication continues without any disruption, as the MAC address and interface configuration are identical across both units.
  • If a client device is connected to the hardware switch, and it wants to communicate with another device also connected to the same switch, it can do so without worrying about which unit is currently handling the traffic.
  • If the primary unit fails, the secondary unit assumes control and ensures the MAC address and interface configurations are preserved, so communication between the devices remains uninterrupted.

 

So, if a hardware switch is used in an HA cluster, a client device on the secondary unit can still communicate with devices connected to the hardware switch on the primary unit. While the secondary unit does not respond to ARP requests, it forwards the traffic to the primary unit’s hardware switch. This is expected behavior. 

HA using a hardware switch to replace a physical switch 

 

The same behavior applies to high-end devices with port groups. If a device is connected to a port group member on the secondary unit, it can communicate with port group devices on the primary unit.

 

Traffic Handling and Failover with Port Group:

During a failover, the secondary unit takes control of the port group associated with the hardware switch. This means the physical interfaces, logical interfaces, and VLANs tied to that port group will be managed by the secondary unit without requiring reconfiguration. The failover happens seamlessly, and the same network interfaces continue to function.

 

Related article:

Technical Tip: FortiOS port groups in high end platforms
695
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.