- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate HA port monitoring
Hello, we have two 500D Fortigates in an HA Master / Slave relationship.They both have two redundant, identical uplink WAN connections (ports 13 and 14) and two redundant, identical LAN connections (ports 1 and 3). Ports 15 and 16 are the HA heartbeat links between both memebers of the cluster. In our situation, Is there any advantage of us configuring Link failover (port monitoring / interface monitoring) ?
I was thinking if the master Fortigate lost both LAN or WAN ports then the cluster would not failover because the heartbeats would still be working, however if we had port monitoring in place, then failover would occur. Does anyone agree with this ? See attached screenshot.
Thank you kindly for any advice.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would need port monitoring on both sides, as well as link-monitoring to the PE or anything that should be reachable in a normal situation. If you have one primary master (override enable, priority high) you need link-monitoring on primary wan-link only.
If something happens on your main link, that does not take down the interface (i.e. link-down beyond first node), link-monitor will save your ass.
-- Bjørn Tore
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If port monitoring is enabled on any of the desired interface/s, a link failure will be detected (assuming we are discussing active-standby HA scenario) and then whichever is the master unit will assume a backup/ standby role.
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have to agreed with BTP you want both.
PCNSE
NSE
StrongSwan
