Fortinet black logo

Deploying HA-AP mode

Deploy HA-AP mode

1) Enable the management interface

It is recommended that the management-interface should be enabled when the HA-AP mode is deployed. Because once you complete the HA-AP mode, only master can handle the traffic, it means that you’re not able to access Secondary device directly. It is not convenient in most cases. Management-interface on the other hand, is a virtual-interface binding to the physical interface. It can always work on all the modes including standalone. Please perform the following steps on all the HA nodes.

  1. Get the console control for FortiADC, execute the next steps in the console.
  2. Since the manage-interface is a virtual-interface inside the system, so it has the similar routing mechanism as other interface. So there should be no overlapping subnet in the system. Therefore, usually we clear the original IP address of the physical interface.
    This can result in the losing the connectivity, so the first step is requiring the console.

    FAD2 # config system interface

    FAD2 (interface) # edit port1

    FAD2 (port1) # unset ip

    FAD2 (port1) # end

  3. Configure the management interface.

    FAD2 # config system ha

    FAD2 (ha) # set mgmt-status enable

    FAD2 (ha) # set mgmt-interface port1

    FAD2 (ha) # set mgmt-ip

    FAD2 (ha) # set mgmt-ip-allowaccess http https ping snmp ssh telnet

    FAD2 (ha) # end

  4. Configure the default route accordingly.

    FAD2 # config router static

    FAD2 (static) # edit 1

    FAD2 (1) # set gateway

    FAD2 (1) # end

On the virtualization platform such as VMware ESXi, KVM, Hyper-V and so on. The VM interface which you are going to bind the management-interface should enable the Promiscuous mode. This mode has different name on different platform, for example it is called “MAC address spoofing” on Hyper-V platform.

2) Configure the HA-AP mode on both sides

Once you completed the management-interface, then you can perform the following steps on Web-UI.

  1. Plan the HA role for the devices
    There are two types of HA roles you have to plan, one is the traffic-role, the other is the config-role. Technically, you can configure the traffic-Primary and config-Primary on different devices. Only the traffic-Primary can handle the traffic, and the full configuration sync can be only from the config-Primary to others. (Incremental configuration sync can happen from any side).
    Typically, the traffic-Primary and config-Primary are the same one. Here is the example to configure the traffic-Primary and config-Primary on the same device with override enabled.
    The condition to make sure negotiation successfully:
    • All the HA devices use the same heartbeat ports and data ports.
    • All the HA devices have same group-id

How the traffic-Primary is elected in HA-AP mode:

Override enabled:

Disk state > monitor interface > priority > uptime > SN

Override disabled:

Disk state > monitor interface > uptime > priority > SN

  • Disk state means the harddisk working state, the device without harddisk error wins. If all the devices have disk error, then compare the next condition.
  • Monitor interface means the up monitored interfaces count, devices with more up interfaces wins, if all the devices have the same number of up interfaces, then compare the next condition.
  • Priority is the value specified in HA configuration, device with lower value wins, if all the devices have same value, then compare next condition.
  • Uptime is the uptime of the device, device with long uptime wins, if all the devices have the same uptime, then compare the next condition.
  • SN means the serial number, the device with higher SN will be the Primary.

How the config-Primary is elected (This is same in 3 modes):

config-priority > SN

  • Config-priority is the value specified in HA config, the device with lower config-priority value will be the config-Primary.
  • SN means the serial number, the device with higher SN will be the config-Primary.

Here we set up 2 HA devices running HA-AP mode, make FAD1 the Primary, and the FAD2 the Secondary. We put config example like following.


config system ha

set mode active-passive

set hbdev port6 port7

set group-id 14

set group-name group1

set priority 1

set config-priority 10

set override enable

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

set monitor port2 port3 port4 port5



config system ha

set mode active-passive

set hbdev port6 port7

set group-id 14

set group-name group1

set priority 9

set config-priority 100

set override enable

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

set monitor port2 port3 port4 port5


There are some preconditions for the HA negotiation:

  • The hostname of HA nodes must NOT be same
  • The group-id of HA nodes must be same
  • The heartbeat interfaces should be connected directly or in the same VLAN
  • On some virtualization platforms like Hyper-V, the heartbeat interface should enable the “Mac address spoofing”.
  • Configure the basic HA options

The following example shows the FAD1 configuration, the FAD2 is similar.

Navigate to “System->High Availability” page:

Configure the required options.

Configure the synchronization options.

Configure the advanced options.

Deploy HA-AP mode

1) Enable the management interface

It is recommended that the management-interface should be enabled when the HA-AP mode is deployed. Because once you complete the HA-AP mode, only master can handle the traffic, it means that you’re not able to access Secondary device directly. It is not convenient in most cases. Management-interface on the other hand, is a virtual-interface binding to the physical interface. It can always work on all the modes including standalone. Please perform the following steps on all the HA nodes.

  1. Get the console control for FortiADC, execute the next steps in the console.
  2. Since the manage-interface is a virtual-interface inside the system, so it has the similar routing mechanism as other interface. So there should be no overlapping subnet in the system. Therefore, usually we clear the original IP address of the physical interface.
    This can result in the losing the connectivity, so the first step is requiring the console.

    FAD2 # config system interface

    FAD2 (interface) # edit port1

    FAD2 (port1) # unset ip

    FAD2 (port1) # end

  3. Configure the management interface.

    FAD2 # config system ha

    FAD2 (ha) # set mgmt-status enable

    FAD2 (ha) # set mgmt-interface port1

    FAD2 (ha) # set mgmt-ip

    FAD2 (ha) # set mgmt-ip-allowaccess http https ping snmp ssh telnet

    FAD2 (ha) # end

  4. Configure the default route accordingly.

    FAD2 # config router static

    FAD2 (static) # edit 1

    FAD2 (1) # set gateway

    FAD2 (1) # end

On the virtualization platform such as VMware ESXi, KVM, Hyper-V and so on. The VM interface which you are going to bind the management-interface should enable the Promiscuous mode. This mode has different name on different platform, for example it is called “MAC address spoofing” on Hyper-V platform.

2) Configure the HA-AP mode on both sides

Once you completed the management-interface, then you can perform the following steps on Web-UI.

  1. Plan the HA role for the devices
    There are two types of HA roles you have to plan, one is the traffic-role, the other is the config-role. Technically, you can configure the traffic-Primary and config-Primary on different devices. Only the traffic-Primary can handle the traffic, and the full configuration sync can be only from the config-Primary to others. (Incremental configuration sync can happen from any side).
    Typically, the traffic-Primary and config-Primary are the same one. Here is the example to configure the traffic-Primary and config-Primary on the same device with override enabled.
    The condition to make sure negotiation successfully:
    • All the HA devices use the same heartbeat ports and data ports.
    • All the HA devices have same group-id

How the traffic-Primary is elected in HA-AP mode:

Override enabled:

Disk state > monitor interface > priority > uptime > SN

Override disabled:

Disk state > monitor interface > uptime > priority > SN

  • Disk state means the harddisk working state, the device without harddisk error wins. If all the devices have disk error, then compare the next condition.
  • Monitor interface means the up monitored interfaces count, devices with more up interfaces wins, if all the devices have the same number of up interfaces, then compare the next condition.
  • Priority is the value specified in HA configuration, device with lower value wins, if all the devices have same value, then compare next condition.
  • Uptime is the uptime of the device, device with long uptime wins, if all the devices have the same uptime, then compare the next condition.
  • SN means the serial number, the device with higher SN will be the Primary.

How the config-Primary is elected (This is same in 3 modes):

config-priority > SN

  • Config-priority is the value specified in HA config, the device with lower config-priority value will be the config-Primary.
  • SN means the serial number, the device with higher SN will be the config-Primary.

Here we set up 2 HA devices running HA-AP mode, make FAD1 the Primary, and the FAD2 the Secondary. We put config example like following.


config system ha

set mode active-passive

set hbdev port6 port7

set group-id 14

set group-name group1

set priority 1

set config-priority 10

set override enable

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

set monitor port2 port3 port4 port5



config system ha

set mode active-passive

set hbdev port6 port7

set group-id 14

set group-name group1

set priority 9

set config-priority 100

set override enable

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

set monitor port2 port3 port4 port5


There are some preconditions for the HA negotiation:

  • The hostname of HA nodes must NOT be same
  • The group-id of HA nodes must be same
  • The heartbeat interfaces should be connected directly or in the same VLAN
  • On some virtualization platforms like Hyper-V, the heartbeat interface should enable the “Mac address spoofing”.
  • Configure the basic HA options

The following example shows the FAD1 configuration, the FAD2 is similar.

Navigate to “System->High Availability” page:

Configure the required options.

Configure the synchronization options.

Configure the advanced options.