Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fjulianom
New Contributor III

Created on ‎06-06-2025 07:46 AM Edited on ‎06-06-2025 09:03 AM

FortiGate HA active-active doubt

Hi community,

 

I have a doubt regarding FortiGate HA active-active mode. There are some articles explaining this mode operation, I have taken this one:

https://www.fortinetguru.com/2016/10/natroute-mode-active-active-cluster-packet-flow/

 

Briefly and without going into too much 3-way handshake detail, when the primary unit decides that the subordinate unit should handle a packet, and forwards it to the subordinate unit internal interface, the primary unit forwards further packets in the same session to the subordinate unit. Is that correct? If so, every packet of the same sessión will pass first through the primary unit and then through the secondary unit? If so, then will link 1 be much more loaded than link 2?

 

fjulianom_0-1749225784677.png

 

 

Regards,

Julián

Labels:
386
0 Kudos
3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Created on ‎06-08-2025 09:36 PM

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
336
Anthony_E
Community Manager
Community Manager

Created on ‎06-12-2025 12:08 AM

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Thanks

Anthony-Fortinet Community Team.
299
Jean-Philippe_P
Moderator
Moderator

Created on ‎06-13-2025 12:30 AM

Hello fjulianom,

 

I found this solution. Can you tell me if it helps, please?

 

Yes, your understanding is correct. In an active-active HA setup, the primary unit is responsible for receiving all incoming packets. When the primary unit decides that a subordinate unit should handle a packet, it forwards the packet to the subordinate unit. Here’s a brief explanation:

 

  1. Initial Packet Handling: The primary unit receives the initial packet of a session and decides, based on the load balancing schedule, whether to process it or forward it to a subordinate unit.

  2. Session Consistency: Once a session is assigned to a subordinate unit, all subsequent packets of that session are forwarded to the same subordinate unit by the primary unit.

  3. Traffic Flow: Yes, every packet of the same session will first pass through the primary unit and then be forwarded to the subordinate unit. This means that the link between the primary unit and the subordinate unit (Link 1) will indeed be more loaded compared to the link between the subordinate unit and the external network (Link 2).

 

This setup ensures that session information is consistent and synchronized across the cluster, but it does mean that the primary unit handles more traffic as it processes or forwards all incoming packets.

Regards,

Jean-Philippe - Fortinet Community Team
265
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.