Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ByteHaven
Contributor

Created on ‎01-20-2026 11:41 AM

Fortimail HA

Hi everyone,

 

I would like some clarification regarding FortiMail HA in active–passive mode, specifically around IP addressing and routing/firewall configuration.

 

I already know how to configure HA itself, but my main question is about IP addresses:

  • In an active–passive HA setup, do both FortiMail units use the same IP address, or does each unit keep a different IP address?

  • I currently have a Virtual IP configured on my firewall (192.168.1.1) to forward SMTP traffic.
    At the moment, the primary FortiMail has IP 192.168.1.1(which is the VIP), and the secondary FortiMail has IP 192.168.1.2.

  • SMTP traffic is currently being forwarded correctly to the primary unit.

My concern is failover behavior:

  • What should be configured so that when the primary FortiMail goes down, the secondary automatically takes over?

  • Once HA is configured and synchronized, does the secondary automatically take over the primary’s IP address (192.168.1.1), or do I need to modify something on the firewall side (VIP, routing, etc.)?

I want to make sure there is no mail disruption during a failover.

 

Thanks in advance for your help.

Labels:
178
0 Kudos
1 Solution
AEK
SuperUser
SuperUser
In response to ByteHaven

Created on ‎01-21-2026 07:55 AM

External to Fortimail:

  • Src intf: WAN
  • Dst intf: DNZ
  • Src: ALL
  • Dst: VIP (the VIP object created at FGT level)
  • Svc: SMTP, SMTPS

Fortimail to external:

  • Src intf: DMZ
  • Dst intf: WAN
  • Src: FML_VIP (probably you'll also need to add the 2 static IP addresses as well)
  • Dst: ALL
  • Svc: SMTP, SMTPS
AEK

View solution in original post

AEK
61
10 REPLIES 10
AEK
SuperUser
SuperUser

Created on ‎01-21-2026 12:36 AM

Hello BH

You use a a floating virtual IP. It will automatically move to the secondary on failover.

https://docs.fortinet.com/document/fortimail/7.2.5/administration-guide/846008/using-high-availabili...

AEK
AEK
151
ByteHaven
Contributor
In response to AEK

Created on ‎01-21-2026 01:58 AM

Hello AEK,

 

Maybe you'll help me more.

 

I'm using only two ports in my fortimails, one for the HA heartbeat and the second port for the rest (mgmt and SMTP traffic). What I wanna know is in the HA configuration > interface > virtual IP, Can i use the virtual IP I configured in my firewall and that is the same as my primary's IP add ?

 

BR,

140
0 Kudos
AEK
SuperUser
SuperUser
In response to ByteHaven

Created on ‎01-21-2026 02:06 AM

The VIP configured in your FGT should map to the VIP you configured on your FML HA.

In your case the static IP addresses that you configured on your FMLs will be used for management, while the VIP will be used for the SMTP traffic.

AEK
AEK
136
ByteHaven
Contributor
In response to AEK

Created on ‎01-21-2026 02:12 AM

In my case the static IP add configured on my primary is used for management and smtp traffic at the same time, and that static IP add is my VIP.

 

Primary : port1 (used for management and smtp traffic) 192.168.1.1

VIP : 192.168.1.1

 

Is this configuration corrected for the HA ? Cause I am using this for my smtp traffic and it's working just fine, my concern is the HA. 

 

BR,

134
0 Kudos
AEK
SuperUser
SuperUser
In response to ByteHaven

Created on ‎01-21-2026 03:35 AM

Let's clear up the ambiguity. There are two VIPs, one configured on FGT (let's say FGT_VIP), and one configured in FML HA (let's say FML_VIP).

The FGT_VIP should be mapped to the FML_VIP, not to the FML port1's static IP. This is required in order to keep it reachable on failover.

AEK
AEK
113
ByteHaven
Contributor
In response to AEK

Created on ‎01-21-2026 04:48 AM

Maybe I'm bad at explaining, I'm sorry lol.

 

Lets approach this in another way. 

 

To config active-passive for Fortimail :

  • you need to create a virtual IP on Fortigate and use that VIP on firewall policy to forward traffic from external to Fortimail.
  • use that VIP on both Fortimail > HA config : 

Screenshot 2026-01-21 133746.png

My Fortimails interfaces config is as followed : 

  • Port1 : for example 192.168.10.1/192.168.10.2 (for admin access and SMTP traffic)
  • Port2 : for example 1.1.1.1/1.1.1.2 (for HA hearbeat)

Question : the virtual IP should be configured on port1 in my case ? 

100
0 Kudos
AEK
SuperUser
SuperUser
In response to ByteHaven

Created on ‎01-21-2026 06:47 AM

Yes because currently your SMTP traffic is handled by port1.

The FML_VIP should be in the same subnet (192.168.10.0/x) on port1.

AEK
AEK
69
0 Kudos
ByteHaven
Contributor
In response to AEK

Created on ‎01-21-2026 07:15 AM

And for Fortigate configuration ?

 

I have to create two firewall policies :

  • External to Fortimail : where I map the external traffic to the virtual IP
  • Fortimail to external : where I map the virtual IP to the external 

Is that correct ?

67
0 Kudos
AEK
SuperUser
SuperUser
In response to ByteHaven

Created on ‎01-21-2026 07:55 AM

External to Fortimail:

  • Src intf: WAN
  • Dst intf: DNZ
  • Src: ALL
  • Dst: VIP (the VIP object created at FGT level)
  • Svc: SMTP, SMTPS

Fortimail to external:

  • Src intf: DMZ
  • Dst intf: WAN
  • Src: FML_VIP (probably you'll also need to add the 2 static IP addresses as well)
  • Dst: ALL
  • Svc: SMTP, SMTPS
AEK
AEK
62
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.