FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
When a FortiGate HA cluster is operating and a monitored interface fails on the primary unit, the primary unit becomes a subordinate unit and another cluster unit becomes the primary unit.
Normally, after a link failover, the new primary unit sends Gratuitous ARP (GARP) packets to refresh the MAC forwarding tables of the switches connected to the cluster.
In some instances switches ignore the GARP packets and continue to reference the MAC address for the port the on the failed FortiGate and will keep sending packets.
You can use the following command to cause a cluster unit with a monitored interface link failure to briefly shut down all of its interfaces (except the heartbeat interfaces and HA mgmt Interface) after the failover occurs:
config system ha set link-failed-signal enable end
This is as designed and there is no workaround.
Disabling “ha-mgmt-status” and “link-failed-signal” will work on the management interface.