FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
Article Id 221209
Description This article describes how to configure FortiManager to use custom certificate for HA communication on port 5199.

FortiManager v6.2.7 and above,v6.4.x, v7.0.,v 7.2.x.


By default, communication between FortiManager in HA cluster is works on TCP port 5199.

Once HA is enabled, all active interfaces on the primary FortiManager will be opened and actively listening to port TCP/5199.

However, it will only react to those peer with the configured Serial Number and packets coming from the configured IP address.


By default, all HA communication will be using the default 'Fortinet_Local' certificate.

Starting from firmware 6.2.7, an extra feature is added to allow administrator to configure the custom certificate to be used for HA communication.

The CLI command as below:


config system ha

      set local cert "certificate_name"



However, there are two things to take note:


  1. The custom certificate used must contained the FortiManager Serial Number either in CN (Common Name) or SAN (Subject Alternative Name).
  2. If the certificate is a self-signed certificate, corresponding CA which signed the custom certificate must be imported first.


Below is the recommended step-by-step configuration:


  1. Sign two custom certificates with CN=<FortiManager_Serialnumber> or SAN =<FortiManager_Serialnumber>  for both primary and secondary FortiManager.
  2. Import the respective custom certificate to the respective FortiManager based on the Serial Number.
  3. Import the CA certificate that was used to sign the custom certificate on both FortiManagers.


Configure HA to use this custom certificate for TCP port 5199 using the following commands.


config system ha

     set local cert "certificate_name"



  1. Use the below command to verify if the HA communication is up.


diagnose ha stats


Below is the sample output from the primary unit if the cluster is up:


diagnose ha stats
===== HA Statistics =====

cluster status: up

--- cluster member information ---

ip :
serial number : FMG-VMTMXXXXXXXX
hostname : FMG-VM64-KVM
role : secondary
status : up
pending sync'ed data(bytes) : 0
secondary down alert : off
secondary re-join alert : off
last error : n/a