Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I'm facing the same issue
jimmyd4ng3r wrote:
Hi, I have a 2 fortigates protecting two subnets. The primary fortigate has a higher priority for both interfaces than the secondary firewall. How to I setup the VRRP so that if one of the interfaces on the primary fortigates drops, the secondary takes over the primary role for BOTH subnets? At the moment, the way I see it, if only one interface drops on the primary, it shall still be the master for the other network and thus create asymmetric routing. In the cisco world, you would track the other interface as well but there doesn' t seem to be a solution in the fortigate world that I can see. Also, can someone update me more for the vrdst option ?
Hi,
Depending on which version is your Fortigate.
But on 5.2 there is a new parameter "vrgrp" , with this you can put all your vrrp interface on the same group, this way the state is tracked and all the vrrp interface on the same group will fail back.
Regards
FWIW: The cisco like track is not available in a FortiOS, so you have no means to do this.
PCNSE
NSE
StrongSwan
Sorry for posting in the old thread.
1. Is there a way to force master unit to become backup if attached ISP circuit on master goes down (interface monitoring or virtual wan link, health check)? In my case, I will be using two ISPs on each FGT, so SD-WAN interface and thus looking for failure of both ISPs at the same time. These two ISPs will be two circuits from same ISP, just one high speed and another low speed. The second unit will have cellular Internet (to start with, later on, I will connect high speed circuit to both firewalls).
2. Is vrdst IP of something on the internet (like Google DNS) be used to track absence of route thru the ISP to trigger making master as backup? The CLI guide is confusing as it states vrdst IP to be next hop address.
3. Does a master unit losing the VRRP advertisement response, remain master or it decreases its priority to become slave? Else both units can become master at the same time?
4. Hopefully SD-WAN and VRRP can be used simultaneously.
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1088 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.