Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akileshc
Staff
Staff

Created on ‎02-28-2025 05:30 AM Edited on ‎01-01-2026 02:05 PM By Community Manager

Article Id 379502

Technical Tip: Configuring HA Monitored Interfaces for failover

Description This article describes sets to configure interface monitoring on a Fortinet High Availability (HA) cluster. 
Scope FortiOS.
Solution

When a monitored interface goes down, it triggers a failover, which causes the cluster to renegotiate and re-select the primary unit.

 

Prerequisites:

  • A Fortinet HA cluster is already configured.
  • The devices in the cluster are running the same firmware version, and the configurations are synchronized.
  • Proper HA settings (for example, heartbeat interfaces and session synchronization) are in place.

 

Configuration:
To configure interface monitoring for HA failover, use the following CLI command:


config system ha
    set monitor "interface_name"
end

 

Replace 'interface_name' with the name of the interface desired to be monitored (for example, wan1, port1, etc).

To configure interface monitoring for HA failover, use the following steps in the GUI:

Go to System -> HA -> Monitored Interfaces, select the interface, and save the changes.

 

HA_Monitoring_Interface.png

 

Monitoring Interfaces and failover:
Regardless of whether the override is enabled or disabled, the first criterion for primary unit selection will always be based on the number of operationally UP-monitored interfaces. The device with the highest UP monitored interfaces is selected as the primary, and failover occurs if the number of monitored interfaces down is higher on the Master device than on the Slave.

 

Best Practice:

  • The heartbeat (hbdev) interface should be excluded from monitoring.
  • Monitored interfaces may disconnect during setup, causing premature failovers. Configure the monitor interfaces only after the HA cluster is fully set up, synchronized, and operational.
  • Monitor only critical interfaces handling high-priority traffic and avoid monitoring all interfaces.

 

Unfortunately, if there are multiple monitor interfaces, failover with a threshold is not available. Only the ping server can have a failover with a threshold.

Important Note:
Excluding the WAN interfaces from HA cluster monitoring is also a best practice, as if an ISP-related issue affects the WAN link, the FortiGate will report monitored-interface-down alert repeatedly, which will also cause the HA cluster to fluctuate until the interface stabilizes. 


To address this issue, the HA failover delay can be configured when a monitored interface goes down by following the link provided below.
Technical Tip: How to configure HA failover delay for monitored ports 

Example:

If a WAN interface (for example, wan1) goes down due to an unstable or flapping connection, the FortiGate will repeatedly detect the interface as down. This condition can trigger continuous HA synchronisation disruptions and cause instability within the HA cluster.

# config system ha
set group-name "HA Cluster"
set hbdev "ha1" 0 "ha2" 0
set monitor "dmz" "wan1" <============
MONDEV stats: FG100ETK180*****(updated 1 seconds ago):
dmz: physical/1000auto, up, rx-bytes/packets/dropped/errors=3459726337/1363011546/0/0, tx=580533233/1801814379/0/0.
wan1: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0.
FG100ETK180***** (updated 3 seconds ago). <===========


Related articles:
9593
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.