Fortigate HA Cluster Test

FortiGate high availability (HA) provides a solution for two key requirements of critical enterprise networking components: enhanced reliability and increased performance. FortiGate HA consists of two or more FortiGate units operating as an HA cluster. To the network, the HA cluster appears to function as a single FortiGate unit, processing network traffic and providing normal security services such as firewall, VPN, IPS, virus scanning, web filtering, and spam filtering services.

Inside the cluster the individual FortiGate units are called cluster units. These cluster units share state and configuration information. If one cluster unit fails, the other units in the cluster automatically replace that unit, taking over the work that the failed unit was doing. The cluster continues to process network traffic and provide normal FortiGate services with virtually no interruption. The ability of an HA cluster to continue providing firewall services after a failure, is called failover.

A second HA feature, called load balancing, can be used to increase firewall performance. A cluster of FortiGate units can increase overall network performance by sharing the load of processing network traffic and providing security services. Periodically, you may want to check the network traffic processed by each cluster unit, so as to assess the efficiency with which the HA cluster balances load, isolate overloaded units, and thereby spot load balancing irregularities (if any) early.

The Fortigate HA Cluster test enables you to achieve this end. This test monitors each Fortigate unit in an HA cluster, reports the resource usage of each unit, and also tracks the network traffic processed by every unit, so that resource-hungry and overloaded units can be quickly identified.

Target of the test : A FortiGate Firewall

Agent deploying the test : An external agent

Outputs of the test : One set of results for each cluster unit monitored.

Configurable parameters for the test
Parameter Description

Test Period

How often should the test be executed.


The IP address of the host for which this test is to be configured.


Refers to the port at which the specified host listens to.


The port at which the monitored target exposes its SNMP MIB; The default value is 161.


By default, the eG agent supports SNMP version 1. Accordingly, the default selection in the SNMPversion list is v1. However, if a different SNMP framework is in use in your environment, say SNMP v2 or v3, then select the corresponding option from this list.


The SNMP community name that the test uses to communicate with the firewall. This parameter is specific to SNMP v1 and v2 only. Therefore, if the SNMPVersion chosen is v3, then this parameter will not appear.


This parameter appears only when v3 is selected as the SNMPVersion. SNMP version 3 (SNMPv3) is an extensible SNMP Framework which supplements the SNMPv2 Framework, by additionally supporting message security, access control, and remote SNMP configuration capabilities. To extract performance statistics from the MIB using the highly secure SNMP v3 protocol, the eG agent has to be configured with the required access privileges – in other words, the eG agent should connect to the MIB using the credentials of a user with access permissions to be MIB. Therefore, specify the name of such a user against this parameter. 


This parameter appears only when v3 is selected as the SNMPVersion. An SNMP context is a collection of management information accessible by an SNMP entity. An item of management information may exist in more than one context and an SNMP entity potentially has access to many contexts. A context is identified by the SNMPEngineID value of the entity hosting the management information (also called a contextEngineID) and a context name that identifies the specific context (also called a contextName). If the Username provided is associated with a context name, then the eG agent will be able to poll the MIB and collect metrics only if it is configured with the context name as well. In such cases therefore, specify the context name of the Username in the Context text box.  By default, this parameter is set to none.


Specify the password that corresponds to the above-mentioned Username. This parameter once again appears only if the SNMPversion selected is v3.

Confirm Password

Confirm the AuthPass by retyping it here.


This parameter too appears only if v3 is selected as the SNMPversion. From the AuthType list box, choose the authentication algorithm using which SNMP v3 converts the specified username and password into a 32-bit format to ensure security of SNMP transactions. You can choose between the following options:

  • MD5 - Message Digest Algorithm
  • SHA - Secure Hash Algorithm
  • SHA224 - Secure Hash Algorithm 224 bit
  • SHA256 - Secure Hash Algorithm 256 bit
  • SHA384 - Secure Hash Algorithm 384 bit
  • SHA512 - Secure Hash Algorithm 512 bit


This flag appears only when v3 is selected as the SNMPversion. By default, the eG agent does not encrypt SNMP requests. Accordingly, the this flag is set to No by default. To ensure that SNMP requests sent by the eG agent are encrypted, select the Yes option. 


If the EncryptFlag is set to Yes, then you will have to mention the encryption type by selecting an option from the EncryptType list. SNMP v3 supports the following encryption types:

  • DES - Data Encryption Standard
  • 3DES - Triple Data Encryption Standard
  • AES - Advanced Encryption Standard
  • AES128 - Advanced Encryption Standard 128 bit
  • AES192 - Advanced Encryption Standard 192 bit
  • AES256 - Advanced Encryption Standard 256 bit


Specify the encryption password here.

Confirm Password

Confirm the encryption password by retyping it here.


Specify the duration (in seconds) within which the SNMP query executed by this test should time out in this text box. The default is 10 seconds.

Data Over TCP

By default, in an IT environment, all data transmission occurs over UDP. Some environments however, may be specifically configured to offload a fraction of the data traffic – for instance, certain types of data traffic or traffic pertaining to specific components – to other protocols like TCP, so as to prevent UDP overloads. In such environments, you can instruct the eG agent to conduct the SNMP data traffic related to the monitored target over TCP (and not UDP). For this, set this flag to Yes. By default, this flag is set to No.


This parameter appears only when v3 is selected as the SNMPVersion. Sometimes, the test may not report metrics when AES192 or AES256 is chosen as the Encryption type. To ensure that the test report metrics consistently, administrators need to set this flag to Yes. By default, this parameter is set to No.

Measurements made by the test
Measurement Description Measurement Unit Interpretation

Cpu utilization

This metric represents the current CPU usage of this unit of the firewall cluster.


A value close to 100% indicates a CPU bottleneck on a cluster unit. Compare the value of this measure across cluster units to identify the CPU-hungry unit.

Memory usage

This metric represents the current memory usage of this firewall cluster unit.


A consistent increase in the value of this measure could indicate that a cluster unit is experiencing a memory drain.

Compare the value of this measure across cluster units to identify the memory-hungry unit.

Network usage

This metric indicates the current network utilization of this firewall cluster unit.


By comparing the value of this measure across cluster units you can accurately isolate overloaded units, and in the process proactively detect load-balancing irregularities in the cluster. 

Packets processed

This metric is the rate of packets processed by the firewall cluster unit during the last measurement period.



Data processed

This metric is the data traffic handled by the firewall cluster unit during the last measurement period, expressed in KB.



Active session count

This metric is the current active sessions to the firewall cluster unit.


A high value of this measure could indicate a session overload on a cluster unit.

Virus detected

This value is the number of viruses the antivirus system detected in the last measurement period.



Intrusions blocked

This value is the number of attacks that the IDS/IPS detected during the last measurement period


An IPS is an Intrusion Prevention System for networks. While early systems focused on intrusion detection, the continuing rapid growth of the Internet, and the potential for the theft of sensitive data, has resulted in the need for not only detection, but prevention. The FortiGate IPS detects intrusions by using attack signatures for known intrusion methods, and detects anomalies in network traffic to identify new or unknown intrusions. Not only can the IPS detect and log attacks, but users can choose actions to take on the session when an attack is detected.

Using sniffer policies you can configure a FortiGate unit interface to operate as a one-arm intrusion detection system (IDS) appliance by sniffing packets for attacks without actually receiving and otherwise processing the packets.