Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Shantilal1998
New Contributor III

HA Failover due to link monitoring..

Hi Guys,

 

I have an architecture where ISP is directly connected ISP-sw1 & then from there one cable goes to Primary firewall & second cable goes to secondary firewall.

Same I have secondary ISP link and is connected to ISP-sw2 & then from there one cable goes to primary and second cable goes to secondary.

 

I want to configure link monitor on WAN interface (2 and 6) of firewalls for HA failover as the current FortiOS has a bug, Bug is the port will always up even we remove the cable.

 

I want to make the firewall failover in case firewall does not receive 10 ICMP reply on wan links (2 and 6) .

 

So, My question is, If the ISP link goes down from ISP side then the primary firewall will do the failover but on the secondary firewall (which will be primary after the failover) will also check that the link is down & it will do the failover.

 

Am i correct on the above statement. If it is true then the firewall will do the failover every time. after 10 RTO.

 

Kindly correct me on my statement. Thanks,  Attached is the snapshot.Diagram.PNG

3 REPLIES 3
funkylicious
Contributor III

Are those switches standalone or part of a stack ?

And if standalone, are the interfaces configured in LACP/aggregate or alone.

geek
geek
Shantilal1998

Switches are in stack.

funkylicious

In this case, I would connect port 2 and port 6, each in a different switch and create a LACP on both sides and then you would not need to monitor your ISP since both FW's will have a connection in either SW1 where ISP-A is or SW2 or ISP-B.


You would need to ensure that you either have a SD-WAN Zone created/configured for them both IPS links, or create a link-monitor to see when one of them goes down to switch to the other.

 

geek
geek
Labels
Top Kudoed Authors