Hello FortiGate Community,
I’m currently working on configuring two FortiGate 200E firewalls in HA(High Availability) mode and need some guidance. Specifically, I want to understand how the HA setup behaves in a situation where the WAN interface shows as up, indicating a physical connection, but traffic cannot pass through due to an issue with the ISP.
Can anyone provide insight into whether the HA failover will still function properly under these conditions?
Thank you for your assistance!
Solved! Go to Solution.
It depends on how the HA failover is configured. If Monitored interfaces are used and the physical state of a monitored interface changes it will trigger the HA failover. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-Practices-for-Interface-monitoring-po...
You can also configure ping server based monitoring: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-HA-ping-server-threshold/ta-p/1...
If no monitor interfaces are configured then HA failover will not depend upon the interface status
It depends on how the HA failover is configured. If Monitored interfaces are used and the physical state of a monitored interface changes it will trigger the HA failover. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-Practices-for-Interface-monitoring-po...
You can also configure ping server based monitoring: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-HA-ping-server-threshold/ta-p/1...
If no monitor interfaces are configured then HA failover will not depend upon the interface status
Thank you very much for the insightful responses to my question. The information provided has been incredibly helpful in understanding how the HA setup on FortiGate 200E handles ISP issues.
Hello @hannq,
In this scenario, if the WAN connection is up and there is an issue on the ISP side. WAN port status is up then Primary FGT will still forward the traffic on the WAN interface to the next hop(ISP router)
If the WAN interface status is down on Primary FGT and if the WAN interface is added in the monitor interface in HA. Then it will trigger a failover to a secondary Firewall.
If wan interface is not added in monitor interface the it will not trigger failover is wan interface goes down
Thank you very much for the insightful responses to my question. This information provided has been incredibly helpful in understanding how the HA setup on FortiGate 200E handles ISP issues.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.