HA remote IP monitoring (also called HA ping server) is a function where the FortiGate checks and monitors upstream network connectivity and can choose to trigger an HA failover if upstream connectivity is lost. This is done by sending ICMP pings to an upstream target server, and it is similar in function to HA port monitoring (i.e., if an interface is considered to have failed and the HA Primary has more failed interfaces than the Secondary, then trigger a failover).

For example, consider a topology where the HA Primary FortiGate connects to an upstream switch, and that upstream switch has recently lost its uplink to the rest of the network. The FortiGate's physical connection is still up and running, but the connectivity is silently broken unless the FortiGate tests for upstream connectivity using HA remote IP monitoring (i.e., by pinging an upstream server and checking that responses are received).

To detect this failure, it is possible to create a remote IP monitoring configuration consisting of a ping server on port2 of the cluster. The primary unit tests connectivity to 192.168.20.20, and if it cannot reach the server, then the cluster performs a failover. This allows the Secondary FortiGate to become the new Primary, and connectivity to the upstream network (including the Internet) is restored.

To configure remote IP monitoring:

1. Enter the following commands to configure HA remote IP monitoring for the example topology.
   
   • Enter the pingserver-monitor-interface keyword to enable HA remote IP monitoring on port2.
   • Enter the pingserver-failover-threshold keyword to set the HA remote IP monitoring failover threshold to 10.
     If one or more ping servers fail, cluster failover occurs when the priority of all failed ping servers reaches or exceeds this threshold. Set the priority for each ping server using the ha-priority keyword described in Step 2 below.

1. • Enter the pingserver-flip-timeout keyword to set the flip timeout to 120 minutes (can be set from 6 - 2147483647). This timer prevents the cluster from constantly performing failovers if the new HA Primary unit also detects a failure due to HA remote IP monitoring (i.e., upstream connectivity is lost for all HA members), so setting it to 120 means that the next failover by this feature will not occur for at least 120 minutes.

config system ha

    set pingserver-monitor-interface port2
    set pingserver-failover-threshold 10
    set pingserver-flip-timeout 120

end

2. Enter the following commands to add the ping server to the port2 interface and to set the HA remote IP monitoring priority for this ping server.
   • Enter the detectserver keyword to add the ping server and set the ping server IP address to 192.168.20.20.
   • Enter the ha-priority keyword to set the HA remote IP monitoring priority of the ping server to 10. If this ping server does not connect to 192.168.20.20, then a value of 10 is added to the HA ping server failover counter, and since that counter meets the threshold, it will trigger a failover.

config system interface

edit port2

set detectserver 192.168.20.20
set ha-priority 10

next

end

It is possible to set the interval keyword under config global to change the time interval between ping server pings, and the failtime keyword can be used to set the number of ping failures that must occur for the interface to be considered as failed. 

It is also possible to do the following to configure HA remote IP monitoring to test more IP addresses:

• Enable HA remote IP monitoring on more interfaces by adding more interface names to the pingserver-monitor-interface keyword.
• If the FortiGate configuration includes VLAN interfaces, aggregate interfaces and other interface types, it is possible to add the names of these interfaces to the pingserver-monitor-interface keyword to configure HA remote IP monitoring for these interfaces.
• Add HA ping servers to other interfaces using the detectserver keyword to add the ping server and the ha-priority keyword to make the ping server an HA ping server and configure the priority of the ping server.
• Add a second IP address to the detectserver keyword to monitor two IP addresses on each interface.

Note:

If adding two IP addresses to the detectserver keyword, the ping will be sent to both at the same time, and only when neither server responds will the ping server fail.

Add secondary IPs to any interface and enter detectserver and ha-priority for each of the secondary IPs. It is possible to do this to monitor multiple IP addresses on any interface and set a different HA priority for each one.

Ping server priority and the failover threshold:

When one HA ping server fails, its priority is compared with the failover threshold. If the priority is greater than or equal to the failover threshold, HA remote IP monitoring triggers an HA failover. If the priority is less than the failover threshold, a failover does not occur. If an HA remote IP monitoring configuration includes only one HA ping server, its priority should be the same as or higher than the failover threshold.

When more than one ping server fails, the total of the priorities of the failed ping servers is compared with the failover threshold. An HA failover is triggered only if the total of the priorities is greater than or equal to the failover threshold. If having configured two HA ping servers, both with priorities of 10, and if the failover threshold is 20, an HA failover occurs only when both ping servers fail. If having configured three ping servers all with priorities of 10, and if the failover threshold is 20, a failover occurs if any two ping servers fail. And so on.

By adding multiple ping servers to the remote HA monitoring configuration and setting the HA priorities for each, it is possible to fine-tune remote IP monitoring. For example, if it is more important to maintain connections to some remote IP addresses, it is possible to set the HA priorities higher for these important IP addresses. And if it is less important to maintain connections to other remote IP addresses it is possible to set the HA priorities lower for these. It is also possible to adjust the failover threshold so that if the cluster cannot connect to one or two high-priority IP addresses, a failover occurs. But a failover will not occur if the cluster cannot connect to one or two low-priority IP addresses.

Flip timeout:

The HA remote IP monitoring configuration also involves setting a flip timeout. The flip timeout is required to reduce the frequency of failovers if, after a failover, HA remote IP monitoring on the new primary unit also causes a failover. This can happen if the new primary unit cannot connect to one or more of the monitored remote IP addresses.

The result could be that until the network problem that blocks connections to the remote IP addresses is addressed, the cluster will experience repeated failovers. It is possible to control how often the failovers occur by setting the flip timeout. The flip timeout stops HA remote IP monitoring from causing a failover until the primary unit has been operating for the duration of the flip timeout.

If setting the flip timeout to a relatively high number of minutes, it is possible to find and repair the network problem that prevented the cluster from connecting to the remote IP address without the cluster experiencing very many failovers. Even if it takes a while to detect the problem, repeated failovers at relatively long time intervals do not usually disrupt network traffic.

Detecting HA remote IP monitoring failover:

Just as with any HA failover, it is possible to detect HA remote IP monitoring failovers by using SNMP to monitor for HA traps. It is also possible to use an alert email to receive notifications of HA status changes and monitor log messages for HA failover log messages. In addition, FortiGate units send the critical log message 'Ping Server is down' when a ping server fails. The log message includes the name of the interface that the ping server has been added to.