- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: Virtual Cluster behavior after use ...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Pedro_FTNT
Staff
Created on
01-29-2025
09:43 PM
Edited on
01-29-2025
09:44 PM
By
Anthony_E
Article Id
373360
| Description | This article describes Virtual Cluster behavior after using 'execute ha failover set [vcluster]'. |
| Scope | FortiGate. |
| Solution |
In this example, FortiGate Cluster has two Virtual Clusters (vcluster): vcluster_1 and vcluster_2.
Cluster: Active-Pasive.
FW_02 as Primary.
FW_01 as Secondary.
FW_02 (global) $ get sys status
Serial-Number: FG3K000000000002
Hostname: FW_02
Current HA mode: a-p, primary
FW_01 (global) $ get sys status
Serial-Number: FG3K000000000001
Hostname: FW_01
Current HA mode: a-p, secondary
FW_02 (global) $ get sys ha status
HA Health Status: OK
Model: FortiGate-3000F
Mode: HA A-P
Group Name: 3000F-HA
Group ID: 1
Debug: 0
Cluster Uptime: 76 days 9h:35m:31s
Cluster state change time: 2024-12-21 02:50:53
Primary selected using:
virtual cluster 1:
<2024/12/21 02:50:53> vcluster-1: FG3K000000000002 is selected as the primary because its uptime is larger than peer member FG3K000000000001. <----- Last HA selection event.
ses_pickup: disable
override:
vcluster_1 disable
vcluster_2 disable
Configuration Status:
FG3K000000000002(updated 1 seconds ago): in-sync <----- Correct Synchronization.
FG3K000000000001(updated 3 seconds ago): in-sync <----- Correct Synchronization.
number of member: 2
FW_02 , FG3K000000000002, HA cluster index = 0
FW_01 , FG3K000000000001, HA cluster index = 1
number of vcluster: 2
vcluster 1: work 169.254.0.1
Primary: FG3K000000000002, HA operating index = 0 <---- FG3K000000000002,Primary.
Secondary: FG3K000000000001, HA operating index = 1 <----- FG3K000000000001,Secondary.
vcluster 2: work 169.254.0.1
Primary: FG3K000000000002, HA operating index = 0 <----- FG3K000000000002,Primary.
Secondary: FG3K000000000001, HA operating index = 1 <----- FG3K000000000001,Secondary.
FW_02 (global) $ di sys ha status
[Debug_Zone HA information]
HA group member information: is_manage_primary=1.
FG3K000000000002: Primary, serialno_prio=0, usr_priority=128, hostname=FW_02<----- FG3K000000000002,Primary.
FG3K000000000001: Secondary, serialno_prio=1, usr_priority=250, hostname=FW_01<----- FG3K000000000001,Secondary.
[Kernel HA information]
vcluster 1, state=work, primary_ip=169.254.0.1, primary_id=0, silent=0
FG3K000000000002: Primary, ha_prio/o_ha_prio=0/0 <----- FW_02,Primary.
FG3K000000000001: Secondary, ha_prio/o_ha_prio=1/1 <----- FW_01,Secondary.
vcluster 2, state=work, primary_ip=169.254.0.1, primary_id=0, silent=0
FG3K000000000002: Primary, ha_prio/o_ha_prio=0/0 <----- FW_2,Primary.
FG3K000000000001: Secondary, ha_prio/o_ha_prio=1/1 <----- FW_01,Secondary.
FW_02 is Primary in vcluster_1 and vcluster_2.
FW_01 is Secondary in vcluster_1 and vcluster_2.
FW_02 (global) $ exe ha failover set
[integer] Virtual cluster ID. Optional; if not given, all virtual clusters are affected.
FW_02 (global) $ exe ha failover set 1
Caution: This command will trigger an HA failover.
It is intended for testing purposes.
Do you want to continue? (y/n)y
FW_02 (global) $ di sys ha status
[Debug_Zone HA information]
HA group member information: is_manage_primary=0.
FG3K000000000002: Secondary, serialno_prio=0, usr_priority=128, hostname=FW_02 -----> FG3K000000000002,Secondary.
FG3K000000000001: Primary, serialno_prio=1, usr_priority=250, hostname=FW_01 -----> FG3K000000000001,Primary.
[Kernel HA information]
vcluster 1, state=standby, primary_ip=169.254.0.2, primary_id=0, silent=0
FG3K000000000002: Secondary, ha_prio/o_ha_prio=1/1 -----> FW_02,Secondary.
FG3K000000000001: Primary, ha_prio/o_ha_prio=0/0 -----> FW_01,Primary.
vcluster 2, state=work, primary_ip=169.254.0.1, primary_id=1, silent=0
FG3K000000000002: Primary, ha_prio/o_ha_prio=0/0 -----> FW_02,Primary.
FG3K000000000001: Secondary, ha_prio/o_ha_prio=1/1 -----> FW_01,Secondary.
FW_02 (global) $ get sys ha status
HA Health Status: OK
Model: FortiGate-3000F
Mode: HA A-P
Group Name: 3000F-HA
Group ID: 1
Debug: 0
Cluster Uptime: 76 days 9h:49m:47s
Cluster state change time: 2025-01-09 03:52:06
Primary selected using:
virtual cluster 1:
<2025/01/09 03:52:06> vcluster-1: FG3K000000000001 is selected as the primary because EXE_FAIL_OVER flag is set on peer member FG3K000000000002. -----> New HA selection event.
<2024/12/21 02:50:53> vcluster-1: FG3K000000000002 is selected as the primary because its uptime is larger than peer member FG3K000000000001. -----> Last HA selection event.
ses_pickup: disable
override:
vcluster_1 disable
vcluster_2 disable
Configuration Status:
FG3K000000000002(updated 1 seconds ago): in-sync <----- Correct Synchronization.
FG3K000000000001(updated 4 seconds ago): in-sync <----- Correct Synchronization.
number of member: 2
FW_02 , FG3K000000000002, HA cluster index = 0
FW_01 , FG3K000000000001, HA cluster index = 1
number of vcluster: 2
vcluster 1: standby 169.254.0.2
Secondary: FG3K000000000002, HA operating index = 1 <----- FW_02,Secondary.
Primary: FG3K000000000001, HA operating index = 0 <----- FW_01,Primary.
vcluster 2: work 169.254.0.1
Primary: FG3K000000000002, HA operating index = 0 <----- FW_02,Primary.
Secondary: FG3K000000000001, HA operating index = 1 <----- FW_01,Secondary.
Now:
FW_02 is Secondary in vcluster_1.
FW_02 is Primary in vcluster_2.
FW_01 is Primary in vcluster_1.
FW_01 is Secondary in vcluster_2.
Related articles: Technical Tip: How to use failover flag to change Active unit FortiGate / FortiOS 7.4.7 Administration Guide / Force HA failover for testing and demonstrations |
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.