FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the limitations of the fail-detect feature on FortiGate devices, specifically when used recursively. It explains how the feature may work as expected or exhibit unexpected behavior, and provides information on how to address these limitations.
Scope
FortiGate.
Solution
The concept of the fail-detect feature can be found here:
To understand the fail-detect feature limitations on FortiGate, it is essential to note that the feature was not designed to handle recursive fail-detect alerts. When enabling the feature under two Link Aggregation Control Protocol (LACP) interfaces (monitoring each other), it may work as expected or exhibit unexpected behavior.
Example of configuration:
config system interface
edit "agg1"
set vdom "root"
set fail-detect enable
set fail-alert-method link-down
set fail-alert-interfaces "agg2"
set type aggregate
set member "port1" "port2"
next
edit "agg2"
set vdom "root"
set fail-detect enable
set fail-alert-method link-down
set fail-alert-interfaces "agg1"
set type aggregate
set member "port3" "port4"
next
end
In general, the expected reaction time of fail-detect is around 2 seconds, which has been tested and documented in the KB article below:
However, if a recursive fail-detect configuration is implemented, the reaction time might be delayed (~10 seconds), and the delay can be observed usually during the first setup/after device reboot.
To address these limitations, FortiGate users can consider submitting a New Feature Request (NFR) to the Fortinet sales team for the recursive fail-detect feature.
