Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fgilloteau_FTNT
Staff
Staff

Created on ‎11-06-2014 06:04 AM

Article Id 190938

Technical Note: Configure the HA to trigger a failover if the FortiGate can no longer reach a ping target

Description
This article explains a HA configuration option that can be used to trigger a failover in case of ping loss to a target destination.

Solution
In the HA configuration, you can configure the option "set monitor" to monitor a physical interface and trigger a failover if this local interface of the FortiGate is DOWN.

But you can also use the "pingserver" options associated to the "gwdetect" configuration to trigger a failover if some ping to a target destination are lost.

This will cover the case where the physical failure is not on the FortiGate itself but on the path to the destination. So in this case, you expect the FortiGate to trigger a failover to try the second unit which has another path to the target.

In the HA configuration, you have to configure these options:

config system ha
    ...
    set pingserver-monitor-interface "Vlan10" "Vlan11" ==> These are the interfaces on which you will configure ping to be sent to the target
    set pingserver-failover-threshold 10 ==> This is the weight for which you would like to trigger the failover if it is reached. This option is directly related to the ha-priority option that you will configure in "router gwdetect"
    set pingserver-flip-timeout 6 ==> This will prevent the failover to happen before the timeout is reached in case both units of the cluster can not connect to the target
end

This is the configuration required to configure ping to a target and associate a weight for the HA:

config router gwdetect
    edit 1
        set failtime 3
        set ha-priority 5 ==> If this ping is lost, it will add a weight of 5 to the global HA weight
        set interface "Vlan10"
        set server "10.10.10.1"
    next
    edit 2
        set failtime 3
        set ha-priority 5 ==> If this ping is lost, it will add a weight of 5 to the global HA weight
        set interface "Vlan11"
        set server "11.11.11.1"
    next
end

With the above configuration, if you lose the two pings, the HA weight will be (5+5 = 10) and you will trigger a failover because you have configured the global HA weight to failover if the weight is 10.

8645
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.