FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
When a FortiGate HA cluster is operating and a monitored interface fails on the primary unit, the primary unit usually becomes a subordinate unit and another unit in the cluster becomes the primary unit. After a link failover, the new primary unit sends special ARP packets(called Gratuitous-ARP or G-ARP) to refresh the MAC forwarding tables (also called arp tables) of the switches connected to the cluster. This is normal link failover operation.
Some switches in the network may not be able to detect that the primary unit has become a subordinate unit, and will keep forwarding packets to the same. This occurs if the switch does not detect the failure and does not clear its MAC forwarding table.
Steps or Commands
To make sure the switch detects the failover and clears its MAC forwarding tables, you can use the following command to cause the primary unit to shut down all its interfaces, except the heartbeat device interfaces, for one second when a failover occurs. If the primary unit interfaces are shut down for one second, the switch should be able to detect this failure and clear its MAC forwarding tables. Then, when the new primary unit is operating, the switch can detect the G-ARP packets and update its MAC forwarding table correctly.
config system ha
set link-failed-signal enable