Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

HA Configuration with Backup VPN



After some advice please.


I have 4 firewalls, 2 in active-passive HA at the each ends of a private link. To cater for this private link going down we have a backup VPN configured which is working fine should the primary link fail.


My question is surrounding my HA setup. How do i cater for essentially a total box failover......should my primary private link go down i have my backup VPN, i don't want HA to think the box has failed as this link failure is cater for with the backup VPN - i dont want a renegotiate of the cluster.


What settings do i need on my cluster to just have it monitor total firewall loss and not any type of interface i just monitor all interfaces ?


Thanks in advance.



New Contributor

Not sure I got you. Why would the FGT will think of failed box if only the VPN dropped ?

//Chura CCIE, NSE7, CCSE+

//Chura CCIE, NSE7, CCSE+

By default complete system failure will always cause the Secondary to become master as it will not receive heartbeats.

You can just monitor the interfaces and interface goes down physically then HA failover will occur (You can also set weights to influence the failover deepening on number of failed interface)


Unless you configure remote ip monitoring the vpn or internet connection failure will not cause HA renegotiation.


So in your case the best option will be only monitor interfaces.

New Contributor

thanks for the replies.


the way i understand things that is if the interface is set to be monitored and the link goes down and HA failover will occur. this link going down could be due to the ISP and not the firewall failing. So as i say if my primary link goes down my backup VPN kicks in (with remote IP monitoring setup) - i dont want a HA failover at this point as the firewall is still working well and only the primary link has failed.


I think i will have it set up just monitoring one of my interfaces in the LAN which is an SFP so suppose it makes sense to have this monitored as the SFP could fail and i would then want a HA event to take place.


Thanks for the help.

Esteemed Contributor III

Not sure what you mean by a total firewall failure, but if that happens the HA link would be down also, right ?. So can you explain what you mean by that?


On the monitor interface(s), you should only monitor interfaces that you want HA action to take place on.


Suggestion if you want to ensure a total box is down approach, I would look at a pair of secondary heart-beat interface. This would be use in the last resort take approach if the primary HA heartbeat goes down. Just be smart about it and ensure if your wiring thru a switch, that you don't place it in the same path of  the 1st primary HA heartbeat.


Also it's still  FTNT approach to place all HA functions on interfaces outside of the normal traffic flow. What I've been doing lately on FGTs and even cisco ASAs, are to run the failover in a etherbundle. This has been very helpful with providing redundancy in the HA heartbeat link.










PCNSE NSE StrongSwan
New Contributor

Thanks for all the advice,


i've got 2 heartbeats connected via cross over cables from mgmt1 and mgmt2. I'm only monitoring my lan interface so if the wan interfaces go down i dont see a failover.




Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors