Latest Office of The CISO Videos:
Who is Office of The CISO? - How to Get Into Cybersecurity - What is a Chief Information Security Officer?
What is a SOC Analyst?

Using High Availability

Configuring the secondary unit for HA operation

The following procedure describes how to prepare a FortiMail unit for HA operation as the secondary unit according to Figure 136 on page 338.

Before beginning this procedure, verify that you have completed the required preparations described in “Example: Active-passive HA group in gateway mode” on page 337. Also verify that you configured the primary unit as described in “Configuring the primary unit for HA operation” on page 342.

To configure the secondary unit for HA operation

  1. Connect to the web-based manager of the secondary unit at https://192.168.1.6/admin.
  2. Go to System > Network.
  3. Configure port 6 to 10.0.0.4/255.255.255.0 and port 6 to 10.0.1.4/255.255.255.0.
  4. Go to System > High Availability > Configuration.
  5. Configure the following:
Main Configuration section See “Configuring the primary HA options”
Mode of operation slave
On failure wait for recovery then restore slave role
Shared password change_me
Backup options section See “Configuring the backup options”.
Backup mail data directories enabled
Backup MTA queue directories disabled
Advanced options section See “Configuring the advanced options”.
HA base port 2000
Heartbeat lost threshold 15 seconds

Remote services as heartbeat disabled

Interface section See “Configuring interface monitoring”.
Interface port6
Heartbeat status primary
Peer IP address 10.0.0.2
Interface port5
Heartbeat status secondary
Peer IP address 10.0.1.2
Virtual IP Address (Configuration of the ports will be synchronized with the primary unit, and are therefore not required to be configured on the secondary unit.)
port1 Ignore
port2 Ignore
port3 Set

172.16.1.2/255.255.255.0

port4 Ignore
port5 Ignore
port6 Ignore
  1. Click Apply.

The FortiMail unit switches to active-passive HA mode, and, after determining that the primary unit is available, sets its effective HA operating mode to slave.

  1. Go to System > High Availability > Status.
  2. Select click HERE to start a configuration/data sync.

The secondary unit synchronizes its configuration with the primary unit, including Virtual IP action settings that configure the HA virtual IP that the secondary unit will adopt on failover.

  1. To confirm that the FortiMail unit is acting as the secondary unit, go to System > High Availability > Status and compare the Configured Operating Mode and Effective Operating Mode. Both should be slave.

If the effective HA operating mode is not slave, the FortiMail unit is not acting as the secondary unit. Determine the cause of the failover, then restore the effective operating mode to that matching its configured HA mode of operation.

If the heartbeat interfaces are not connected, the secondary unit cannot connect to the primary unit, and so the secondary unit will operate as though the primary unit has failed and will switch its effective HA operating mode to master.

Figure 138:Secondary unit status page (secondary unit not operating as a slave unit)

When both primary unit and the secondary unit are operating in their configured mode, configuration of the active-passive HA group is complete. For information on managing both members of the HA group, see “Administering an HA group” on page 345.

Administering an HA group

In most cases, you will an HA group by connecting to the primary unit as if it were a standalone unit.

Table 43:Management tasks performed on each HA group member

Connect to… For…
Primary unit

(192.168.1.5)

•      synchronized configuration items, such as antispam settings

•      primary unit HA management tasks, such as viewing its effective HA operating mode and configuring its Mode of operation and Shared password

•      viewing the log messages of the primary unit

Secondary unit

(192.168.1.6)

•      secondary unit HA management tasks, such as viewing its effective HA operating mode and configuring its Mode of operation and Shared password

•      viewing the log messages of the secondary unit

If the initial configuration synchronization fails, such as if it is disrupted or the network cable is loose, you should manually trigger synchronization after changing the configuration of the primary unit. For information on manually triggering configuration synchronization, see “click HERE to start a configuration/data sync” on page 316.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos

Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos