FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
bboudjema
Staff
Staff
Article Id 396846

Description

 

This article provides a comprehensive guide to managing FortiGate High Availability (HA) clusters using FortiManager.

 

It covers the process of adding HA clusters to FortiManager, explains the key behavioral differences between Active-Passive and Active-Active HA modes, especially regarding traffic processing and log sources, and details how configuration synchronization is handled.

 

The article also addresses common challenges such as failover behavior, HA cluster role promotion, and known issues related to FGFM tunnels and configuration drift. Practical troubleshooting tips and best practices are included to help administrators maintain a reliable HA environment.

 

Scope

 

FortiManager, FortiGate.

 

Solution

 

FortiManager connects to the HA cluster’s primary unit via FGFM and pushes configuration changes there, which are then synced automatically to secondary units. While it only interacts with the primary regardless of HA mode, understanding key differences between Active-Passive and Active-Active, like traffic handling and log sources, is essential for effective management. This setup centralizes control and simplifies failover and role promotion.

 

Topology Example:

 

Capture d'écran 2025-06-17 165319.png

Adding a FortiGate HA Cluster to FortiManager:

  1. In FortiManager, go to Device Manager.

  2. Select Add Device/Discover Device and provide the IP address of the primary FortiGate in the HA cluster.

  3. Enter valid administrator credentials with API/FGFM access.

  4. FortiManager will automatically detect the HA cluster and retrieve information about the secondary units.

  5. The entire HA cluster will be added as one logical device in FortiManager.

 

Alternative Method: 

The FortiGate HA cluster can also be added to FortiManager using the Fabric Connector, initiated from the primary FortiGate unit. This method is suitable for environments where Security Fabric integration is in use.

 

Important: 

Do not add secondary HA members manually. FortiManager does not support managing HA peers separately.

 

FortiManager and HA Cluster Interaction:

  • FortiManager communicates only with the current primary unit using FGFM (port 541).

  • Configuration changes are pushed to the primary and automatically synchronized to all secondary units.

  • HA member roles and sync status are visible in Device Manager > System > HA.

 

Active-Active Clusters, Key Differences:

 

Area Active-Passive Active-Active
FortiManager Management Primary only Primary only
Traffic Processing (Network) One node Multiple nodes
Log Sources Single unit Possibly multiple
Config Install Path FortiManager → Primary → Sync FortiManager → Primary → Sync (same behavior)