Skip to main content
fran1942
fran1942
New Member
November 20, 2017
Question

Fortigate HA port monitoring

  • November 20, 2017
  • 2 replies
  • 10296 views

Hello, we have two 500D Fortigates in an HA Master / Slave relationship.They both have two redundant, identical uplink WAN connections (ports 13 and 14) and two redundant, identical LAN connections (ports 1 and 3). Ports 15 and 16 are the HA heartbeat links between both memebers of the cluster. In our situation, Is there any advantage of us configuring Link failover (port monitoring / interface monitoring) ?

I was thinking if the master Fortigate lost both LAN or WAN ports then the cluster would not failover because the heartbeats would still be working, however if we had port monitoring in place, then failover would occur. Does anyone agree with this ? See attached screenshot.

Thank you kindly for any advice.

    2 replies

    btp
    btp
    New Member
    November 20, 2017

    You would need port monitoring on both sides, as well as link-monitoring to the PE or anything that should be reachable in a normal situation. If you have one primary master (override enable, priority high) you need link-monitoring on primary wan-link only.

     

    If something happens on your main link, that does not take down the interface (i.e. link-down beyond first node), link-monitor will save your ass.

    packetpusher
    packetpusher
    New Member
    November 20, 2017

    If port monitoring is enabled on any of the desired interface/s, a link failure will be detected (assuming we are discussing active-standby HA scenario) and then whichever is the master unit will assume a backup/ standby role.

     

    Thank you

    emnoc
    emnoc
    New Member
    November 20, 2017

    I have to agreed with BTP you want  both.

    Terms & ConditionsAccessibility statement