Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fgilloteau_FTNT
Staff
Staff

Created on ‎11-06-2014 06:04 AM Edited on ‎05-29-2025 01:28 PM By Moderator

Article Id 190938

Technical Tip: Configure the HA to trigger a failover if the FortiGate can no longer reach a ping target

Description

 
This article explains a HA configuration option that can be used to trigger a failover in case of ping loss to a target destination.
 
Scope
 
FortiGate.


Solution

 
In HA configuration, it is possible to configure the option 'set monitor' to monitor a physical interface and trigger a failover if this local interface of the FortiGate is DOWN.

It is also possible to use the 'pingserver' options associated with the 'gwdetect' configuration to trigger a failover if some pings to a target destination are lost.

This will cover the case where the physical failure is not on the FortiGate itself but on the path to the destination. So in this case, it is expected that the FortiGate will trigger a failover to try the second unit which has another path to the target.

In the HA configuration, configure these options:

config system ha
    ...
    set pingserver-monitor-interface "Vlan10" "Vlan11" <----- These are the interfaces on which a ping will be configured to be sent to the target.
    set pingserver-failover-threshold 10 <---- This is the weight for which the failover should be triggered if it is reached. This option is directly related to the ha-priority option configured in 'router gwdetect'.
    set pingserver-flip-timeout 6 <----- This will prevent the failover happening before the timeout is reached if both units of the cluster cannot connect to the target.
end

This is the configuration required to configure ping to a target and associate a weight for the HA:

config router gwdetect
    edit 1
        set failtime 3
        set ha-priority 5 <----- If this ping is lost, it will add a weight of 5 to the global HA weight.
        set interface "Vlan10"
        set server "10.10.10.1"
    next
    edit 2
        set failtime 3
        set ha-priority 5 <----- If this ping is lost, it will add a weight of 5 to the global HA weight.
        set interface "Vlan11"
        set server "11.11.11.1"
    next
end

With the above configuration, if the two pings are lost, the HA weight will be (5+5 = 10) and a failover will be triggered because the global HA weight was configured to failover if the weight is 10.

 

As of FortiOS 5.2 and above, the command 'config router gwdetect' has been deprecated. The new config command is 'config system link-monitor'. See the following article to set up a link-monitor: Technical Tip: Link-Monitor Explained.

8812
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.