Description
This article explains the best practices for Interface monitoring (port monitoring) in FGCP high availability.
Scope
FortiGate.
Solution
Fortinet suggests the following practices related to interface monitoring (also called port monitoring):
Wait until a cluster is up and running and all interfaces are connected before enabling interface monitoring.
A monitored interface can easily become disconnected during initial setup and cause failovers to occur before the cluster is fully configured and tested.
- Monitor interfaces connected to networks that process high-priority traffic so that the cluster maintains connections to these networks if a failure occurs.
- Avoid configuring interface monitoring for all interfaces.
- Supplement interface monitoring with remote link failover.
Configure remote link failover to maintain packet flow if a link not directly connected to a cluster unit (for example, between a switch connected to a cluster interface and the network) fails.
Interfaces that cannot be used for link monitoring.
The following interfaces cannot be selected or added to a link monitoring interface.
- VLAN subinterface.
- IPsec VPN interface.
- Individual physical interfaces that have been added to a redundant or 802ad aggregate interface.
- Hardware-switch interface
Related documents:
Aggregation and redundancy
Technical Tip: Set up hardware-switch interface as port monitor on HA configuration
