Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎03-31-2017 04:52 PM Edited on ‎04-03-2025 09:30 PM By Community Manager

Article Id 192218

Technical Tip: How to disconnect a member from a FortiGate HA cluster (aka 'Remove device from HA cluster')

Description

 
This article describes a process for disconnecting a FortiGate unit from an existing High-Availability (HA) cluster using the 'Remove device from HA cluster' feature (or execute ha disconnect via the CLI). This article will include steps for completing this process using the GUI for v5.2/5.4 as well as FortiOS 5.6 and beyond (6.x, 7.x, etc.) as well as via the CLI.
 
This process can generally be completed without disrupting the rest of the network, as it will make the following changes on the removed FortiGate during the removal process:
 
  • Remove/clean all interface IP address configurations. Existing interfaces will be retained, but all IP addresses and administrative access options assigned to the interface will be removed to prevent conflicts with the remaining HA cluster.
  • Configure a new IP address on a specified port. This is done so that the removed unit is accessible over the network for further management/reconfiguration.
  • Change the removed FortiGate's HA mode to standalone.

 

The removed FortiGate will retain the vast majority of its current configuration when removed from the cluster, including but not limited to:

  • Firewall Policies.
  • Interfaces/names (but as noted above, not IP address assignments).
  • Admin users/passwords (including REST API admins/API keys, SSO Admins, etc.).
  • Security Inspection profiles.
  • HA configurations (e.g. group names, passwords, etc., but notably not HA management interfaces or the mode).

This means that it is relatively straightforward to put a removed FortiGate back into the HA cluster (though see the notes further below for additional considerations).

 

Note:

It is still recommended to plan the removal process around a scheduled maintenance window, and it is also not recommended to use this option in cloud environments as devices often have different IP addresses set to each node.

 

Scope

 

FortiGate High Availability, FortiOS 5.2/5.4 and FortiOS 5.6 through 6.x/7.x and later.


Solution

 

Disconnecting a FortiGate from the HA cluster - GUI Method (v5.6 through v6.x/v7.x and later):

1. Log in to the Primary FortiGate via the Web GUI.

2. Navigate to System -> HA (in the Global VDOM, if VDOMs are enabled). A list of FortiGate cluster members will be present.

3. Select the unit to disconnect, then select the Remove device from HA cluster button:

 

01.png
 
4. Select an Interface from the drop-down list after the pop-up window appears. This interface will be used as a management interface for the removed FortiGate:


02.png

 

5. Configure an IP/Netmask for the specified interface. This IP address should be reachable over the network so that the removed FortiGate can be managed, as all other interfaces on the removed FortiGate will have the IP addressing removed/cleared to avoid conflicts with the existing HA cluster.
6. Select OK to commit the change. Once the change is committed, the cluster will no longer show the unit as being connected to the cluster, and the disconnected unit's HA mode will be changed to standalone.

 

Note:

If the disconnected FortiGate is going to be reconnected to the cluster, consider the following:

 

  • Reboot the disconnected unit before proceeding with cluster re-establishment, or run diagnose sys ha reset-uptime. This will ensure that the cluster uptime value will be lower than the current HA Primary FortiGate, which helps to ensure that the disconnected unit does not attempt to assume the Primary HA role.
  • Assign a Device Priority that is lower than than the existing Primary FortiGate's priority for the same reason mentioned above (highest priority can lead to a unit assuming the HA Primary role, default value is 128).
    • For example: If the active Primary unit has a priority of 100 then it is recommended to set the disconnected FortiGate priority to a value lower than that.
04.png

 

  • Re-configure any other custom HA configuration that was present before the disconnect, such as dedicated HA management interfaces.
  • Once the cluster is reconnected, it will take several minutes to fully synchronize the configuration and bring all interface configurations with it.

 

Disconnecting a FortiGate from the HA cluster - CLI Method (all FortiOS versions):

To disconnect a FortiGate the the HA cluster via the CLI, use the following command:
 
execute ha disconnect <FortiGate Serial Number> <Interface> <IP Address> <Netmask>
 
Consider the following example of the above command:
 
execute ha disconnect FGT800Dxxxxxxxx internal 192.168.1.2 255.255.255.0
 
The above command will disconnect the FortiGate with the serial number FGT800Dxxxxxxxx, and it will also set up the internal interface with an IP address of 192.168.1.2 and a network/subnet mask of 255.255.255.0.

 

As mentioned above, the existing HA cluster members will continue to provide service to the network without disruption, and the disconnected FortiGate will be accessible via the above interface and IP address (assuming routes exist as well to reach remote destinations).

 

Disconnecting a FortiGate from the HA cluster - GUI Method (Legacy FortiOS 5.2/5.4)

 

1. Login the to Web GUI of the Primary FortiGate.

2. Navigate to System -> Config -> HAA list of FortiGate cluster members will be present.

3. Select the unit to disconnect, then select the disconnect button/icon:

 

edgar_iconDisc.png

 

4. In the Disconnect Cluster Member window, specify the Interface to be used for management access to the disconnected unit.

edgar_cluster member.png
 

5. Configure an IP/Netmask for the specified interface. This IP address should be reachable over the network so that the removed FortiGate can be managed, as all other interfaces on the removed FortiGate will have the IP addressing removed/cleared to avoid conflicts with the existing HA cluster.
6. Select OK to commit the change. Once the change is committed, the cluster will no longer show the unit as being connected to the cluster, and the disconnected unit's HA mode will be changed to standalone.

 

 

Related articles:

Troubleshooting Tip: How to troubleshoot HA synchronization issue using GUI and CLI on FortiGate/For....

Troubleshooting Tip: FortiGate Cluster upgrade gets stuck when not all members have upgraded.

Troubleshooting Tip: 'Image upgrade failed. Firmware image is not valid - FortiGate HA firmware upgr....

Technical Tip: How to confirm that Load Balancing is occurring (HA cluster).

Technical Tip: How to view the routing table on Slave/Secondary/Subordinate units in HA cluster.

Technical Tip: HA Reserved Management Interface's hidden VDOM (vsys_hamgmt VDOM).

Technical Tip: Configure timeout to make primary HA unit wait before the secondary HA unit is consid....

Technical Tip: How to break a HA cluster and use one of the members as standalone

19634
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.