Back to Blog
Cybersecurity

FortiGate HA (High Availability) Installation and Configuration Guide

FortiGate HA (High Availability) Installation and Configuration Guide
We examine the HA (High Availability) installation and configuration steps to ensure business continuity and establish an uninterrupted network infrastructure on FortiGate firewalls.
Published
June 11, 2026
Updated
June 11, 2026
Reading Time
7 min read
Author
LeonX Team

In the digital infrastructure of businesses, any interruption in internet and network access can lead to halted business processes and severe financial losses. Therefore, it is of vital importance that firewalls at the heart of corporate networks operate in a redundant structure. The FortiGate HA (High Availability) technology developed by Fortinet combines two or more FortiGate devices under a single cluster, offering an uninterrupted and redundant network infrastructure.

In this guide, we will discuss the logic, requirements, and step-by-step configuration phases of HA installation on FortiGate firewalls.

What is FortiGate HA (High Availability)?

FortiGate HA is a clustering technology that allows multiple physical FortiGate devices to come together and operate as a single logical device. In this architecture, when one of the devices fails or its connection is lost, the other device automatically takes over the traffic. Since this transition occurs within milliseconds, users and systems do not feel the interruption.

HA Operating Modes

There are two main operating modes commonly used in FortiGate HA architecture:

  1. Active-Passive: One of the devices in the cluster manages all traffic (Active) while the other waits in a passive state (Passive). When a problem occurs on the active device, the passive device automatically becomes active. It is the easiest to install, manage, and the most stable mode.
  2. Active-Active: All devices in the cluster share and process traffic, performing load balancing. It is preferred in large-scale networks where performance requirements are very high.

FortiGate HA Installation Requirements

To perform a successful HA installation, the devices must have exactly the same hardware and software features.

  • Same Hardware Model: All devices in the cluster must be of the same model (e.g., two FortiGate 60F devices).
  • Same Firmware Version: The FortiOS versions running on the devices must be exactly the same.
  • Same License Level: The license packages of the devices (FortiGuard, UTM, etc.) must be the same.
  • Physical Connections: The port configurations and cabling of the devices must be exactly symmetrical.

Step-by-Step FortiGate HA Configuration

In this section, we will examine the installation steps of the most commonly used Active-Passive mode.

1. Making Physical Connections

Before starting to configure the devices, prepare the physical connections:

  • Establish at least one (preferably two) "Heartbeat" connection for the two devices to communicate (synchronize) with each other. Run ethernet cables between these ports (e.g., HA or port5/port6) where the devices will connect directly to each other.
  • Connect WAN and LAN connections to symmetrical ports on both devices (e.g., WAN1 port of both devices should go to the same internet switch, and LAN ports should go to the same internal network switch).

2. Configuring the First Device (Primary/Master)

First, connect to the interface of the main device that will run as active and follow these steps:

  • Go to the System > HA menu.
  • Select the Mode field as Active-Passive.
  • Change the Device Priority value to a number higher than 128 (e.g., 200). This value ensures that this device is selected as "Master" with priority.
  • Set the Group Name and Password fields (must be the same on the other device in the cluster).
  • Select the ports where the devices connect to each other from the Heartbeat Interfaces field and determine their priorities.

3. Configuring the Second Device (Secondary/Slave)

Connect to the interface of the second device:

  • Go to the System > HA menu.
  • Select the Mode field as Active-Passive.
  • Leave the Device Priority value at the default 128 or enter a value lower than the main device (e.g., 100).
  • Enter the Group Name and Password information exactly the same as you set on the first device.
  • Select the same ports in the Heartbeat Interfaces field.

When you save the configuration and connect the devices to each other, the second device will automatically synchronize all its settings from the first device and start waiting in passive mode.

Pro Tip: To test the stability of the HA cluster, disconnect the power cable or unplug the heartbeat cable of the main device to check whether the traffic transitions to the backup device seamlessly (failover).

Best Practices in HA Configuration

For a reliable HA structure, the following points should be considered:

  • Redundant Heartbeat Connection: To prevent the heartbeat connection from dropping due to a single cable failure, always configure at least two ports as heartbeats.
  • Monitored Interfaces: Add your WAN and LAN ports as monitored interfaces in the HA settings. This way, even if the device itself is running, when the internet cable is unplugged, traffic is automatically transferred to the other device.
  • Redundant Switch Infrastructure: Support the HA structure with redundant switch architectures so that your server and internet connections are not affected by a single switch failure.

To ensure the uninterrupted operation of your network infrastructure and perform firewall configurations at best practice standards, you can take advantage of our Router, Switch and Firewall Installation Service solutions.

Frequently Asked Questions

Is internet access interrupted during HA failover?

In Active-Passive mode, the transition is completed within milliseconds. Existing TCP connections and VPN tunnels (if "Session Synchronization" is active) continue to flow through the backup device without interruption. Users do not feel this transition.

Does HA continue to work if the license of one of the devices expires?

Yes, but the cluster will display an "Unbalanced License" warning, and some security services (Web Filtering, IPS, etc.) may not work when the device with the expired license is active. Therefore, the license periods of both devices must be kept up to date.

How is a firmware update performed in a FortiGate HA structure?

Just like in vSphere or other redundant systems, updates in a FortiGate HA cluster are performed without interruption. When the update package is uploaded to the active device, the system first updates the passive device, transfers traffic to it, and then updates the other device, completing the process seamlessly.

Conclusion

FortiGate HA installation is one of the most critical steps to take for the continuity and cybersecurity of corporate networks. A correctly planned redundancy architecture completely eliminates outages caused by hardware failures or cable breaks.

To properly plan your firewall investments and design network infrastructures compliant with KVKK/ISO 27001 standards, you can review our Hardware and Software Solutions page or contact us to speak with our expert engineers.

Related Article: FortiGate SSL VPN Installation and Secure Remote Access

Related Article: What is Fortinet Security Fabric? Comprehensive Architecture Guide

Internal Link Path

Continue to the most relevant service pages

Use the links below to move from this article to the primary service, the most relevant detail page and the contact flow.

Primary Service Page

Hardware and Software Solutions

Open Page

Relevant Subservice

Router, Switch and Firewall Deployment Service

Open Page

Contact / Proposal

Contact Us

Open Page

Share this article

Facebook
Twitter
LinkedIn

Related Posts

Discover more on similar topics

How to Do Dell PowerStore Encryption for KVKK?
Cybersecurity
2026-06-12
7 min read

How to Do Dell PowerStore Encryption for KVKK?

We examine the configuration steps for data encryption (encryption at rest) on Dell PowerStore storage systems within the scope of Personal Data Protection Law (KVKK) technical measures.

Read Article
How to Configure Dell PowerEdge Server for KVKK?
Cybersecurity
2026-06-10
7 min read

How to Configure Dell PowerEdge Server for KVKK?

We examine how to ensure the security of your Dell PowerEdge servers and the best configuration steps within the scope of the Personal Data Protection Law (KVKK) technical measures.

Read Article
Why is Log Integrity Critical in 5651 Compliance? Detailed Guide
Cybersecurity
2026-06-06
6 min read

Why is Log Integrity Critical in 5651 Compliance? Detailed Guide

We examine why log integrity is of vital importance within the scope of Law No. 5651, its legal validity requirements, and technical prerequisites.

Read Article

Subscribe to Our Newsletter

Get the latest insights, trends, and expert advice delivered directly to your inbox. Join our community of IT professionals.

We respect your privacy. Unsubscribe at any time.