Accessing Secondary FortiGate Units in HA Clusters: A Complete Guide

December 24, 2025.

For network administrators managing FortiGate high availability (HA) clusters, a common challenge arises: how to directly access the secondary unit's graphical interface. This comprehensive guide explores the solutions, configuration methods, and limitations based on technical documentation and community expertise.

The Core Challenge: Why Secondary Units Become "Invisible"

When FortiGate firewalls are configured in an HA cluster (both Active-Passive and Active-Active modes), they present themselves as a single logical entity to the network. According to discussions on StackExchange, once clustered, units share identical IP addresses and MAC addresses on their data interfaces. The master unit's addresses become the cluster's addresses, while the secondary's original addresses are effectively overwritten and hidden.

This design ensures seamless failover—connections don't need to re-establish when units switch roles—but it creates an accessibility dilemma. The secondary unit becomes inaccessible via its pre-cluster IP address, leaving administrators with limited options for direct management.

Primary Solution: Reserved Management Interfaces

The most robust method for accessing both cluster members independently involves configuring dedicated management interfaces. This approach, detailed on InfosecMonkey and Fortinet's community forums, creates a separate management path to each physical device.

Configuration Requirements

1. Physical Port Selection: Choose a dedicated physical interface on each FortiGate (commonly labeled as management ports on mid-range and high-end models). These ports should be dedicated-to-management and not used for regular traffic forwarding.

2. Unique IP Addressing: Assign each unit a unique IP address within the same management subnet. For example:

   • Primary unit: 10.10.10.140/24
   • Secondary unit: 10.10.10.141/24

3. HA Management Configuration: Configure the HA settings to recognize these interfaces as management paths with appropriate gateway settings.

Step-by-Step Configuration

On the Master Firewall:

config system interface
 edit "port15"
 set vdom "root"
 set ip 10.10.10.140 255.255.255.0
 set allowaccess ping https ssh http fgfm
 set type physical
 set dedicated-to management
 set role lan
 next
end
config system ha
 set group-name "HA-GROUP"
 set mode a-p
 set hbdev "ha" 50 "port16" 100
 config ha-mgmt-interfaces
 edit 1
 set interface "port15"
 set gateway 10.10.10.1
 next
 end
end

On the Secondary Firewall:

config system interface
 edit "port15"
 set vdom "root"
 set ip 10.10.10.141 255.255.255.0
 set allowaccess ping https ssh http fgfm
 set type physical
 set dedicated-to management
 set role lan
 next
end
config system ha
 set group-name "HA-GROUP"
 set mode a-p
 set priority 120
 config ha-mgmt-interfaces
 edit 1
 set interface "port15"
 set gateway 10.10.10.1
 next
 end
end

Important Note: The management interface configuration on the secondary unit does not synchronize from the master and must be configured separately, either before joining the cluster or through direct console access.

Alternative Access Methods

CLI Management via Master Unit

For quick diagnostic access without dedicated management interfaces:

1. Connect to the master unit via SSH or console
2. Use the command execute ha manage ? to see cluster member numbers
3. Access the secondary with execute ha manage 1 (where "1" typically represents the secondary unit)
4. Return to the master with execute ha manage 0

This method provides CLI-only access and is useful for troubleshooting, firmware updates, or examining the secondary's status.

Port-Based Access on Chassis Models

For FortiGate chassis models (like the 6000 series), a different approach exists:

• Master unit: https://cluster-IP:443
• Secondary unit: https://cluster-IP:44320 (where the last digit varies by slot position)

This port differentiation allows GUI access to individual cluster members without separate IP addresses.

Practical Considerations and Limitations

Hardware Compatibility

• Mid-range and high-end models (100D and above) typically include dedicated management ports
• Entry-level models (like the 60D) generally lack these specialized ports, limiting direct access options
• Chassis-based systems offer slot-based port addressing as mentioned above

Network Design Implications

When implementing reserved management interfaces:

• Ensure the management network is highly available but separate from data traffic
• Consider security implications of additional access paths
• Implement appropriate access controls and authentication for management interfaces

Synchronization Exceptions

Most configuration elements synchronize from master to secondary, but these do not:

• Device hostnames
• HA-specific parameters (like priority)
• Reserved management interface settings
• Some hardware-specific configurations

Troubleshooting Common Issues

Management Interface Connectivity Problems

1. Verify physical connectivity between management ports and switches
2. Check IP configuration on both units (must be in same subnet but different addresses)
3. Confirm gateway accessibility from management interfaces
4. Validate allowaccess settings include necessary protocols (https, ssh)

HA Synchronization Conflicts

If the secondary unit refuses management interface configuration:

1. Temporarily disable HA on the secondary (if safely possible)
2. Configure the management interface before joining the cluster
3. Re-enable HA and verify configuration persistence

Best Practices for Secondary Unit Management

1. Document all access methods including IP addresses, ports, and credentials
2. Test failover scenarios regularly, including management access during role transitions
3. Monitor both units independently where possible, especially for hardware health indicators
4. Establish change procedures that consider both cluster members during updates
5. Implement backup connections such as console access for emergency scenarios

Conclusion

Direct access to secondary FortiGate units in HA clusters, while not the default configuration, is both possible and valuable for comprehensive network management. The reserved management interface method provides the most flexible approach, offering full GUI access to both cluster members. When hardware limitations preclude this option, CLI access through the master unit or port-based access on chassis systems offer viable alternatives.

As with all network architecture decisions, the chosen method should balance operational needs, security requirements, and hardware capabilities. Proper implementation of secondary unit access enhances troubleshooting capabilities, simplifies maintenance, and provides greater visibility into cluster operations—all contributing to more resilient network infrastructure.

---

Frequently Asked Questions

Why can't I access my secondary FortiGate after setting up HA?

In HA clusters, all data interfaces share the master unit's IP and MAC addresses for seamless failover. The secondary's original addresses are disabled, making it inaccessible through standard network paths unless you configure dedicated management interfaces.

Which FortiGate models support reserved management interfaces?

Mid-range and high-end models (typically 100D and above) include dedicated management ports that can be configured for reserved management access. Entry-level devices usually lack this capability.

Can I configure the secondary's management interface through the master?

No, management interface settings for reserved management do not synchronize between cluster members. You must configure them separately on each device, either before joining to the cluster or via direct console access.

Is it safe to enable direct access to the secondary unit?

With proper security measures—strong authentication, network segmentation, and access controls—direct secondary access is safe and beneficial for monitoring and troubleshooting. However, configuration changes should generally be made only on the master unit.

What if I need to access the secondary but don't have management ports?

You have two alternatives: 1) Use CLI access through the master (execute ha manage 1), or 2) On chassis models, use port-based addressing (like :44320 for the secondary). For entry-level devices without these options, console cable access may be necessary.

Do I need different licenses for both units when accessing separately?

No, FortiGate HA clusters use a single license for the cluster. Both units operate under the master's license regardless of how you access them.