Here's a link in troubleshooting FortiGate HA.
Personally, it's better to reset the FortiGate device uptime to manually restore or revert the original Primary firewall. Refer to this link to troubleshoot and interpret HA flags.
Check if the Secondary FortiGate firewall has the HA override disable and note the HA failover status flag.
FW01_SEC (global) # show system ha | grep override
set override disable
FW01_SEC (global) # execute ha failover status
failover status: unset
The Secondary is acting as the Primary device in the High Availability (HA) cluster since its uptime is "larger" or device is up for a longer period of time. Also note the cluster index number for Primary and Secondary.
FW01_SEC (global) # get system ha status
HA Health Status: OK
Model: FortiGate-4xxF
Mode: HA A-P
Group Name: FW01_CLUSTER
Group ID: 0
Debug: 0
Cluster Uptime: 6 days 13h:16m:48s
Cluster state change time: 2026-02-11 02:49:32
Primary selected using:
<2026/02/11 02:49:32> vcluster-1: FG4H1FT922904444 is selected as the primary because its uptime is larger than peer member FG4H1FT922903333.
<2026/02/11 02:46:27> vcluster-1: FG4H1FT922904444 is selected as the primary because it's the only member in the cluster.
<2026/02/11 02:46:23> vcluster-1: FG4H1FT922904444 is selected as the primary because the value of link-failure + pingsvr-failure is less than peer member FG4H1FT922903333.
<2026/02/11 02:42:49> vcluster-1: FG4H1FT922904444 is selected as the primary because it's the only member in the cluster.
ses_pickup: enable, ses_pickup_delay=disable
override: disable
Configuration Status:
FG4H1FT922904444(updated 5 seconds ago): in-sync
FG4H1FT922904444 chksum dump: bd 22 46 7c 8c bb f6 c6 73 54 f6 d2 d2 18 5a 1c
FG4H1FT922903333(updated 1 seconds ago): in-sync
FG4H1FT922903333 chksum dump: bd 22 46 7c 8c bb f6 c6 73 54 f6 d2 d2 18 5a 1c
System Usage stats:
FG4H1FT922904444(updated 5 seconds ago):
sessions=141, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=28%
FG4H1FT922903333(updated 1 seconds ago):
sessions=14, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=28%
HBDEV stats:
FG4H1FT922904444(updated 5 seconds ago):
ha: physical/1000auto, up, rx-bytes/packets/dropped/errors=4451813/18881/0/0, tx=27633523/26727/0/0
FG4H1FT922903333(updated 1 seconds ago):
ha: physical/1000auto, up, rx-bytes/packets/dropped/errors=26923055/24401/0/0, tx=4104707/17586/0/0
MONDEV stats:
FG4H1FT922904444(updated 5 seconds ago):
po1: aggregate/00, up, rx-bytes/packets/dropped/errors=51451719/86317/0/0, tx=11192875/63943/0/0
po2: aggregate/00, up, rx-bytes/packets/dropped/errors=1856442/13545/0/0, tx=7439384/11524/0/0
FG4H1FT922903333(updated 1 seconds ago):
po1: aggregate/00, up, rx-bytes/packets/dropped/errors=422826/4005/0/0, tx=27924/157/0/0
po2: aggregate/00, up, rx-bytes/packets/dropped/errors=382016/3818/0/0, tx=23840/153/0/0
number of member: 2
FW01_SEC, FG4H1FT922904444, HA cluster index = 1
FW01_PRI, FG4H1FT922903333, HA cluster index = 0
number of vcluster: 1
vcluster 1: work 169.254.0.2
Primary: FG4H1FT922904444, HA operating index = 0
Secondary: FG4H1FT922903333, HA operating index = 1
To reset the Secondary uptime, use the diagnose sys ha reset-uptime command. This will disconnect your current HTTPS/GUI session.
FW01_SEC (global) # diagnose sys ha reset-uptime
Once you've re-login, notice the device hostname is back to the original Primary firewall.
FW01_PRI (global) # get system ha status
HA Health Status: OK
Model: FortiGate-4xxF
Mode: HA A-P
Group Name: FW01_CLUSTER
Group ID: 0
Debug: 0
Cluster Uptime: 6 days 13h:28m:37s
Cluster state change time: 2026-02-11 03:16:05 //
Primary selected using:
<2026/02/11 03:16:05> vcluster-1: FG4H1FT922903333 is selected as the primary because its uptime is larger than peer member FG4H1FT922902544.
<2026/02/11 02:49:32> vcluster-1: FG4H1FT922904444 is selected as the primary because its uptime is larger than peer member FG4H1FT922903333.
ses_pickup: enable, ses_pickup_delay=disable
override: disable
Configuration Status:
FG4H1FT922903333(updated 4 seconds ago): in-sync
FG4H1FT922903333 chksum dump: bd 22 46 7c 8c bb f6 c6 73 54 f6 d2 d2 18 5a 1c
FG4H1FT922904444(updated 4 seconds ago): in-sync
FG4H1FT922904444 chksum dump: bd 22 46 7c 8c bb f6 c6 73 54 f6 d2 d2 18 5a 1c
System Usage stats:
FG4H1FT922903003(updated 4 seconds ago):
sessions=112, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=28%
FG4H1FT922904444(updated 4 seconds ago):
sessions=28, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=28%
HBDEV stats:
FG4H1FT922903333(updated 4 seconds ago):
ha: physical/1000auto, up, rx-bytes/packets/dropped/errors=29469319/30468/0/0, tx=6424709/23514/0/0
FG4H1FT922904444(updated 4 seconds ago):
ha: physical/1000auto, up, rx-bytes/packets/dropped/errors=6786743/24841/0/0, tx=30193967/32825/0/0
MONDEV stats:
FG4H1FT922903333(updated 4 seconds ago):
po1: aggregate/00, up, rx-bytes/packets/dropped/errors=1689444/9284/0/0, tx=523774/2771/0/0
po2: aggregate/00, up, rx-bytes/packets/dropped/errors=791925/7447/0/0, tx=1255468/1865/0/0
FG4H1FT922904444(updated 4 seconds ago):
po1: aggregate/00, up, rx-bytes/packets/dropped/errors=54864434/101059/0/0, tx=14252015/75175/0/0
po2: aggregate/00, up, rx-bytes/packets/dropped/errors=2300163/18051/0/0, tx=8158689/15016/0/0
number of member: 2
FW01_PRI, FG4H1FT922903333, HA cluster index = 0
FW01_SEC, FG4H1FT922904444, HA cluster index = 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Primary: FG4H1FT922903333, HA operating index = 0
Secondary: FG4H1FT922904444, HA operating index = 1
No comments:
Post a Comment