Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
h_celik
New Contributor II

Created on ‎04-09-2025 03:14 AM

should fortilink interfaces be monitored?

Hello,

 

I have configured two fortigates as ha and configured 1048e switches as mclag. I have turned off the split interface and I am using lacp mode active. I am wondering if I should monitor the fortilink interfaces on the ha monitoring interface? In a failover scenario, there seems to be more downtime on the FortiSwitches if traffic switches to the secondary FortiGate. Is there a best practice for this?

FortiGate   FortiSwitch  

Regards

Regards
138
0 Kudos
2 REPLIES 2
Dhruvin_patel
Staff
Staff

Created on ‎04-09-2025 02:35 PM

Greetings!

 

In a High Availability (HA) setup, monitoring FortiLink interfaces can be crucial, especially if they are handling critical traffic. However, there are some best practices to consider:

 

1 Monitor Critical Interfaces: Only monitor interfaces that are critical for your network operations. If FortiLink interfaces are critical, they should be monitored.

 

2. Avoid Monitoring All Interfaces: Monitoring too many interfaces can lead to unnecessary failovers. Focus on those that are essential for maintaining network connectivity and performance.

 

3. Exclude Heartbeat Interfaces: Ensure that the heartbeat (hbdev) interface is excluded from monitoring to prevent unnecessary failovers.

 

4. **Setup Considerations: Configure the monitor interfaces only after the HA cluster is fully set up, synchronized, and operational to avoid premature failovers.

 

5. Evaluate Downtime: If monitoring FortiLink interfaces leads to increased downtime during failover, consider whether the benefits of monitoring outweigh the potential downtime.

 

By following these best practices, you can optimize your HA setup and minimize downtime during failover scenarios.

 

Regards!

Dhruvin Patel
113
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎04-09-2025 03:01 PM

Hi Celik

I think in such scenario you don't need to monitor the FortiLink interface.

You have 2 FSW, so the FortiLink interface will fail if both FSW fail or both are disconnected from your primary FGT, and I think this is very unlikely to happen.

Now in case both FSW fail then there is really no need to automatic FGT failover, right?

And in case both FSW cables are disconnected from the primary FGT then this is most probably due to a voluntary manual intervention.

AEK
AEK
109
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.