Technical Tip: HA with third-party products

FortiGate is operating in High Availability mode in conjunction with other vendors.

Layer 2 Considerations:

Layer 2 switches are commonly used to connect FortiGate units in an HA cluster. The following points ensure compatibility and stability:

• Spanning Tree Protocol (STP): Use Rapid STP (RSTP) or Multiple STP (MSTP) for quicker convergence. Ensure total delay (max age + forward delay) is under 20 seconds to align with FortiGate's heartbeat and failover logic.

• BPDU Handling: On ports connecting to FortiGates, consider disabling STP if there is no risk of loops, or use BPDU Guard/BPDU Filter to prevent misbehavior during failover.

• Port Fast / Edge Port Mode: Enable this on switch ports connected to FortiGate HA units to bypass STP delays during port initialization.

• Link Aggregation (LACP): For redundant links, configure LACP where supported by both FortiGate and the switch.

Layer 3 Switching & Routing Considerations:

When FortiGate HA clusters connect through Layer 3 switches or routers, especially across subnets or routed topologies:

• Gratuitous ARP: Ensure the Layer 3 device correctly handles Gratuitous ARP (GARP) so that MAC-to-IP mappings update quickly upon failover.

• Static ARP Entries: In some cases, it may be necessary to manually clear or update ARP entries on third-party routers to prevent stale MAC address associations.

• Dynamic Routing Protocols: For more advanced setups, FortiGate supports OSPF and BGP to dynamically update route tables. Ensure routing protocols converge quickly upon failover.

• VRRP/HSRP Compatibility: If using Layer 3 redundancy protocols on upstream devices, coordinate with FortiGate's HA role and routing behavior to prevent route conflicts.

• Link Fail Signal: It will bring all monitoring interface down so connecting switches can upgrade the MAC table
   

   

config system ha

set link-failed-signal enable

end