All root VDOM traffic should flow through the primary FortiGate and engineering VDOM traffic should flow through the backup FortiGate. If the primary FortiGate becomes unavailable, the cluster negotiates and traffic fails over and all traffic would be processed by the backup FortiGate.
To test this, ping a reliable IP address from a PC on the internal network. After a moment, power off the primary FortiGate.
If you are using port monitoring, you can also unplug the primary FortiGate's Internet-facing interface to test failover.
You see a momentary pause in the ping results until traffic diverts to the backup FortiGate, allowing the ping traffic to continue.
64 bytes from 188.8.131.52: icmp_seq=69 ttl=52 time=8.719 ms\ 64 bytes from 184.108.40.206: icmp_seq=70 ttl=52 time=8.822 ms\ 64 bytes from 220.127.116.11: icmp_seq=71 ttl=52 time=9.034 ms\ 64 bytes from 18.104.22.168: icmp_seq=72 ttl=52 time=9.536 ms\ 64 bytes from 22.214.171.124: icmp_seq=73 ttl=52 time=8.877 ms\ 64 bytes from 126.96.36.199: icmp_seq=74 ttl=52 time=8.901 ms\ Request timeout for icmp_seq 75\ 64 bytes from 188.8.131.52: icmp_seq=76 ttl=52 time=8.860 ms\ 64 bytes from 184.108.40.206: icmp_seq=77 ttl=52 time=9.174 ms\ 64 bytes from 220.127.116.11: icmp_seq=78 ttl=52 time=10.108 ms\ 64 bytes from 18.104.22.168: icmp_seq=79 ttl=52 time=8.719 ms\ 64 bytes from 22.214.171.124: icmp_seq=80 ttl=52 time=10.861 ms\ 64 bytes from 126.96.36.199: icmp_seq=81 ttl=52 time=10.757 ms\ 64 bytes from 188.8.131.52: icmp_seq=82 ttl=52 time=8.158 ms\ 64 bytes from 184.108.40.206: icmp_seq=83 ttl=52 time=8.639 ms}
You can log into the cluster GUI or CLI using the same IP address as you had been using to the log into the primary FortiGate. If the primary FortiGate is powered off, you will be logging into the Backup-1 FortiGate. Check the host name to verify the FortiGate that you have logged into.
After the primary FortiGate fails the HA Status dashboard widget shows that the Backup-2 has become the primary (master) FortiGate.
System > HA shows that the Backup-2 FortiGate has become the primary FortiGate for virtual cluster 1. This page also shows that the Backup-1 FortiGate continues to process virtual cluster 2 traffic.
If you restart the primary FortiGate, after a few minutes it should rejoin the cluster and because override is enabled, the original virtual cluster configuration should be re-established. Traffic may be temporarily disrupted when the restarted primary FortiGate rejoins the cluster.
You can also try powering off other FortiGates in the virtual cluster to see how the cluster adapts to the failover. Because of the device priority configuration, if two FortiGates are operating, virtual cluster 1 and virtual cluster 2 traffic is distributed between them.