Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hannq
New Contributor II

Testing HA Failover with ISP Issues on FortiGate 200E

Hello FortiGate Community,


I’m currently working on configuring two FortiGate 200E firewalls in HA(High Availability) mode and need some guidance. Specifically, I want to understand how the HA setup behaves in a situation where the WAN interface shows as up, indicating a physical connection, but traffic cannot pass through due to an issue with the ISP.

 

Can anyone provide insight into whether the HA failover will still function properly under these conditions?

Thank you for your assistance!

1 Solution
amrit
Staff
Staff

It depends on how the HA failover is configured. If Monitored interfaces are used and the physical state of a monitored interface changes it will trigger the HA failover.  https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-Practices-for-Interface-monitoring-po...

 

You can also configure ping server based monitoring: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-HA-ping-server-threshold/ta-p/1...

 

If no monitor interfaces are configured then HA failover will not depend upon the interface status

 

Amritpal Singh

View solution in original post

4 REPLIES 4
amrit
Staff
Staff

It depends on how the HA failover is configured. If Monitored interfaces are used and the physical state of a monitored interface changes it will trigger the HA failover.  https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-Practices-for-Interface-monitoring-po...

 

You can also configure ping server based monitoring: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-HA-ping-server-threshold/ta-p/1...

 

If no monitor interfaces are configured then HA failover will not depend upon the interface status

 

Amritpal Singh
hannq
New Contributor II

Thank you very much for the insightful responses to my question. The information provided has been incredibly helpful in understanding how the HA setup on FortiGate 200E handles ISP issues.

Vedaant
Staff
Staff

Hello @hannq

In this scenario, if the WAN connection is up and there is an issue on the ISP side.  WAN port status is up then Primary FGT will  still forward the traffic on the WAN interface to the next hop(ISP router)

If the WAN interface status is down on Primary FGT and if the WAN interface is added in the monitor interface in HA. Then it will trigger a failover to a secondary Firewall.

If wan interface is not added in monitor interface the it will not trigger failover is wan interface goes down

hannq
New Contributor II

Thank you very much for the insightful responses to my question. This information provided has been incredibly helpful in understanding how the HA setup on FortiGate 200E handles ISP issues.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors