Link failover (port monitoring or interface monitoring)
Link failover means that if a monitored interface fails, the cluster reorganizes to reestablish a link to the network that the monitored interface was connected to and to continue operating with minimal or no disruption of network traffic.
You configure monitored interfaces (also called interface monitoring or port monitoring) by selecting the interfaces to monitor as part of the cluster HA configuration.
You can monitor up to 64 interfaces.
The interfaces that you can monitor appear on the port monitor list. You can monitor all FortiGate interfaces including redundant interfaces and 802.3ad aggregate interfaces.
You cannot monitor the following types of interfaces (you cannot select the interfaces on the port monitor list):
• FortiGate interfaces that contain an internal switch.
• VLAN subinterfaces.
• IPsec VPN interfaces.
• Individual physical interfaces that have been added to a redundant or 802.3ad aggregate interface.
• FortiGate-5000 series backplane interfaces that have not been configured as network interfaces.
If you are configuring a virtual cluster you can create a different port monitor configuration for each virtual cluster. Usually for each virtual cluster you would monitor the interfaces that have been added to the virtual domains in each virtual cluster.
| Wait until after the cluster is up and running to enable interface monitoring. You do not need to configure interface monitoring to get a cluster up and running and interface monitoring will cause failovers if for some reason during initial setup a monitored interface has become disconnected. You can always enable interface monitoring once you have verified that the cluster is connected and operating properly. |
| You should only monitor interfaces that are connected to networks, because a failover may occur if you monitor an unconnected interface. |
To enable interface monitoring - web‑based manager
Use the following steps to monitor the port1 and port2 interfaces of a cluster.
1. Connect to the cluster web‑based manager.
2. Go to System > Config > HA and edit the primary unit (Role is MASTER).
3. Select the Port Monitor check boxes for the port1 and port2 interfaces and select OK.
The configuration change is synchronized to all cluster units.
To enable interface monitoring - CLI
Use the following steps to monitor the port1 and port2 interfaces of a cluster.
1. Connect to the cluster CLI.
2. Enter the following command to enable interface monitoring for port1 and port2.
configure system ha
set monitor port1 port2
end
The following example shows how to enable monitoring for the external, internal, and DMZ interfaces.
config system ha
set monitor external internal dmz
end
With interface monitoring enabled, during cluster operation, the cluster monitors each cluster unit to determine if the monitored interfaces are operating and connected. Each cluster unit can detect a failure of its network interface hardware. Cluster units can also detect if its network interfaces are disconnected from the switch they should be connected to.
| Cluster units cannot determine if the switch that its interfaces are connected to is still connected to the network. However, you can use remote IP monitoring to make sure that the cluster unit can connect to downstream network devices. See “Remote link failover”. |
Because the primary unit receives all traffic processed by the cluster, a cluster can only process traffic from a network if the primary unit can connect to it. So, if the link between a network and the primary unit fails, to maintain communication with this network, the cluster must select a different primary unit; one that is still connected to the network. Unless another link failure has occurred, the new primary unit will have an active link to the network and will be able to maintain communication with it.
To support link failover, each cluster unit stores link state information for all monitored cluster units in a link state database. All cluster units keep this link state database up to date by sharing link state information with the other cluster units. If one of the monitored interfaces on one of the cluster units becomes disconnected or fails, this information is immediately shared with all cluster units.