Fortinet black logo

FortiGate-7000F Handbook

Failover protection

Copy Link
Copy Doc ID 7c49437d-9280-11eb-b70b-00505692583a:691647
Download PDF

Failover protection

FortiGate-7000F HA supports failover protection to provide FortiOS services even when one of the FortiGate-7000Fs encounters a problem that would result in partial or complete loss of connectivity or reduced performance for a standalone FortiGate-7000F. This failover protection provides a backup mechanism that can be used to reduce the risk of unexpected downtime, especially in a mission-critical environment.

To achieve failover protection in a FortiGate-7000F cluster, one of the FortiGate-7000Fs functions as the primary, processing traffic and the other as the secondary, operating in an active stand-by mode. The cluster IP addresses and HA virtual MAC addresses are associated with the interfaces of the primary. All traffic directed at the cluster is actually sent to and processed by the primary.

While the cluster is functioning, the primary FortiGate-7000F functions as the FortiGate network security device for the networks that it is connected to. In addition, the primary FortiGate-7000F and the secondary FortiGate-7000F use the HA heartbeat to keep in constant communication. The secondary FortiGate-7000F reports its status to the primary FortiGate-7000F and receives and stores connection and state table updates from the primary FortiGate-7000F.

FortiGate-7000F HA supports four kinds of failover protection:

  • Device failure protection automatically replaces a failed device and restarts traffic flow with minimal impact on the network.
  • FIM failure protection makes sure that traffic is processed by the FortiGate-7000F with the most operating FIMs.
  • Link failure protection maintains traffic flow if a link fails.
  • FPM failure protection makes sure that traffic is processed by the FortiGate-7000F with the most operating FPMs.
  • Session failure protection resumes communication sessions with minimal loss of data if a device, module, or link failure occurs.

Failover protection

FortiGate-7000F HA supports failover protection to provide FortiOS services even when one of the FortiGate-7000Fs encounters a problem that would result in partial or complete loss of connectivity or reduced performance for a standalone FortiGate-7000F. This failover protection provides a backup mechanism that can be used to reduce the risk of unexpected downtime, especially in a mission-critical environment.

To achieve failover protection in a FortiGate-7000F cluster, one of the FortiGate-7000Fs functions as the primary, processing traffic and the other as the secondary, operating in an active stand-by mode. The cluster IP addresses and HA virtual MAC addresses are associated with the interfaces of the primary. All traffic directed at the cluster is actually sent to and processed by the primary.

While the cluster is functioning, the primary FortiGate-7000F functions as the FortiGate network security device for the networks that it is connected to. In addition, the primary FortiGate-7000F and the secondary FortiGate-7000F use the HA heartbeat to keep in constant communication. The secondary FortiGate-7000F reports its status to the primary FortiGate-7000F and receives and stores connection and state table updates from the primary FortiGate-7000F.

FortiGate-7000F HA supports four kinds of failover protection:

  • Device failure protection automatically replaces a failed device and restarts traffic flow with minimal impact on the network.
  • FIM failure protection makes sure that traffic is processed by the FortiGate-7000F with the most operating FIMs.
  • Link failure protection maintains traffic flow if a link fails.
  • FPM failure protection makes sure that traffic is processed by the FortiGate-7000F with the most operating FPMs.
  • Session failure protection resumes communication sessions with minimal loss of data if a device, module, or link failure occurs.