FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the behaviour of the HA “link-failed-signal” which brings all interfaces of a unit if a monitored link is detected as down.

However if the FortiGate
HA clusters units are managed through a dedicated network management interface, this interface will not be brought down.
config system ha
    set link-failed-signal enable
    set ha-mgmt-interface "mgmt"

Refer to the High Availability section of the OnLine Help guide.

When a FortiGate HA cluster is operating and a monitored interface fails on the primary unit, the primary unit becomes a subordinate unit and another cluster unit becomes the primary unit.

Normally, after a link failover, the new primary unit sends Gratuitous ARP (GARP) packets to refresh the MAC forwarding tables of the switches connected to the cluster.

In some instances switches ignore the GARP packets and continue to reference the MAC address for the port the on the
failed FortiGate
and will keep sending packets.

You can use the following command to cause a cluster unit with a monitored interface link failure to briefly shut down all of its interfaces (except the heartbeat interfaces and HA mgmt Interface) after the failover occurs:
config system ha
set link-failed-signal enable

This is as designed and there is no workaround.

Disabling “ha-mgmt-status” and “link-failed-signal” will work on the management interface.

Problem Verification
Execute the following command and check output1.
diag debug app hatalk -1

Related Articles

Technical Tip: Updating MAC forwarding tables when an HA link failover occurs