cyber-101

What are the heartbeat interface IP addresses on FortiGate HA deployments?

A quick reminder on some important IPs.

Mike Berggren

Mike Berggren

— 2 min read
What are the heartbeat interface IP addresses on FortiGate HA deployments?
Photo by Joshua Chehov / Unsplash
đź’ˇ
This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.

In order for FortiGate firewalls to communicate in a high-availability cluster, they need to know how to reach one another. Think of it like calling someone on the phone; If you don't know the other person's phone number, you don't have enough information to get communication started. So, how does this work for clustering? What are the HA addresses and how do they get chosen?

It's actually pretty simple.

During the initial HA setup/negotiation, the FortiGate Clustering Protocol (FGCP) looks at all of the serial numbers for the units in that cluster. It then sorts the serial numbers from highest to lowest and assigns a listening IP in the address range 169.254.0.0/26 . So for example:

  • 169.254.0.1 would be used by the FortiGate with the highest serial value.
  • 169.254.0.2 would be used by the FortiGate with the next highest serial value.
  • Etc, etc, etc,

That's it! Nice and simple, right? For more information, check out these resources:

Explaining why IPs 169.254.0.65 or 169.254.0.66 cannot be used on FortiGates in an HA cluster
why 169.254.0.65 and 169.254.0.66 cannot be used and respond to pings on FortiGates in an HA cluster when not in use in the network. Scope FortiGate in FGCP Cluster. Solution FortiGates in an HA cluster will prevent the use of IPs 169.254.0.65 and 169.254.0.66 but will be able to ping them successfu…
fortinetAde_23

Read more