- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Testing HA Failover with ISP Issues on FortiGate 200E
Hello FortiGate Community,
I’m currently working on configuring two
FortiGate
200E firewalls in HA(High Availability) mode and need some guidance. Specifically, I want to understand how the HA setup behaves in a situation where the WAN interface shows as up, indicating a physical connection, but traffic cannot pass through due to an issue with the ISP.
Can anyone provide insight into whether the HA failover will still function properly under these conditions?
Thank you for your assistance!
Solved! Go to Solution.
- Labels:
-
FortiGate
-
High Availability
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It depends on how the HA failover is configured. If Monitored interfaces are used and the physical state of a monitored interface changes it will trigger the HA failover. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-Practices-for-Interface-monitoring-po...
You can also configure ping server based monitoring: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-HA-ping-server-threshold/ta-p/1...
If no monitor interfaces are configured then HA failover will not depend upon the interface status
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It depends on how the HA failover is configured. If Monitored interfaces are used and the physical state of a monitored interface changes it will trigger the HA failover. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-Practices-for-Interface-monitoring-po...
You can also configure ping server based monitoring: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-HA-ping-server-threshold/ta-p/1...
If no monitor interfaces are configured then HA failover will not depend upon the interface status
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much for the insightful responses to my question. The information provided has been incredibly helpful in understanding how the HA setup on FortiGate 200E handles ISP issues.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @hannq,
In this scenario, if the WAN connection is up and there is an issue on the ISP side. WAN port status is up then Primary FGT will still forward the traffic on the WAN interface to the next hop(ISP router)
If the WAN interface status is down on Primary FGT and if the WAN interface is added in the monitor interface in HA. Then it will trigger a failover to a secondary Firewall.
If wan interface is not added in monitor interface the it will not trigger failover is wan interface goes down
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much for the insightful responses to my question. This information provided has been incredibly helpful in understanding how the HA setup on FortiGate 200E handles ISP issues.