Note: If pre-empt mode is disabled, a device that has the higher priority will not take over as the primary device again and will keep behaving as a backup device.

This is helpful to avoid an extra failover to the original primary device and to avoid network flaps.

VRRP can be used with Non-Fortinet devices as well to maintain high availability.

In this setup, two Fortinet firewalls are used.

Site A:

config system interface
    edit "port19"
        set vdom "root"
        set ip 192.168.168.11 255.255.255.0
        set allowaccess ping https http
        set type physical
        set vrrp-virtual-mac enable
            config vrrp
                edit 10
                    set vrgrp 10
                    set vrip 192.168.168.15
                    set priority 150
                    set preempt disable
                next
            end
        set snmp-index 19
    next
end

Site B:

config system interface
    edit "port19"
        set vdom "root"
        set ip 192.168.168.10 255.255.255.0
        set allowaccess ping https http
        set type physical
        set vrrp-virtual-mac enable
            config vrrp
                edit 10
                    set vrgrp 10
                    set vrip 192.168.168.15
                    set priority 250
                    set preempt disable
                next
            end
        set snmp-index 19
    next
end

Before the Failover, Site B is the Primary unit with priority 250.

SiteB # get router info vrrp
Interface: port19, primary IP address: 192.168.168.10
UseVMAC: 1, SoftSW: 0, EmacVlan: 0 BrPortIdx: 0, PromiscCount: 1
HA mode: primary (0:0:1) VRRP primary number: 1
VRID: 10 verion: 2
vrip: 192.168.168.15, priority: 250 (250,0), state: PRIMARY
adv_interval: 1, preempt: 0, ignore_dft: 0 start_time: 3
primary_adv_interval: 100, accept: 1
vrmac: 00:00:5e:00:01:0a
vrdst:
vrgrp: 10

Site A is the backup with priority 150:

Site-A # get router info vrrp
Interface: port19, primary IP address: 192.168.168.11
UseVMAC: 1, SoftSW: 0, EmacVlan: 0 BrPortIdx: 0, PromiscCount: 0
HA mode: primary (0:0:1) VRRP primary number: 0
VRID: 10 verion: 2
vrip: 192.168.168.15, priority: 150 (150,0), state: BACKUP
adv_interval: 1, preempt: 0, ignore_dft: 0 start_time: 3
primary_adv_interval: 100, accept: 1
vrmac: 00:00:5e:00:01:0a
vrdst:
vrgrp: 10

Bring down the Primary device VRRP interface, replicating it as failover interface:

Site-A # get router info vrrp
Interface: port19, primary IP address: 192.168.168.11
UseVMAC: 1, SoftSW: 0, EmacVlan: 0 BrPortIdx: 0, PromiscCount: 1
HA mode: primary (0:0:1) VRRP primary number: 1
VRID: 10 verion: 2
vrip: 192.168.168.15, priority: 150 (150,0), state: PRIMARY
adv_interval: 1, preempt: 0, ignore_dft: 0 start_time: 3
primary_adv_interval: 100, accept: 1
vrmac: 00:00:5e:00:01:0a
vrdst:
vrgrp: 10

Now enable the Primary device VRRP interface:

SiteB # get router info vrrp
Interface: port19, primary IP address: 192.168.168.10
UseVMAC: 1, SoftSW: 0, EmacVlan: 0 BrPortIdx: 0, PromiscCount: 0
HA mode: primary (0:0:1) VRRP primary number: 0
VRID: 10 verion: 2
vrip: 192.168.168.15, priority: 250 (250,0), state: BACKUP
adv_interval: 1, preempt: 0, ignore_dft: 0 start_time: 3
primary_adv_interval: 100, accept: 1
vrmac: 00:00:5e:00:01:0a
vrdst:
vrgrp: 10

Site A is the Primary unit for the traffic and remains working as the Primary until the next failover happens due to the pre-empt option being disabled.