I have an architecture where ISP is directly connected ISP-sw1 & then from there one cable goes to Primary firewall & second cable goes to secondary firewall.
Same I have secondary ISP link and is connected to ISP-sw2 & then from there one cable goes to primary and second cable goes to secondary.
I want to configure link monitor on WAN interface (2 and 6) of firewalls for HA failover as the current FortiOS has a bug, Bug is the port will always up even we remove the cable.
I want to make the firewall failover in case firewall does not receive 10 ICMP reply on wan links (2 and 6) .
So, My question is, If the ISP link goes down from ISP side then the primary firewall will do the failover but on the secondary firewall (which will be primary after the failover) will also check that the link is down & it will do the failover.
Am i correct on the above statement. If it is true then the firewall will do the failover every time. after 10 RTO.
Kindly correct me on my statement. Thanks, Attached is the snapshot.
In this case, I would connect port 2 and port 6, each in a different switch and create a LACP on both sides and then you would not need to monitor your ISP since both FW's will have a connection in either SW1 where ISP-A is or SW2 or ISP-B.
You would need to ensure that you either have a SD-WAN Zone created/configured for them both IPS links, or create a link-monitor to see when one of them goes down to switch to the other.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.