Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.0.0
    6.0.0

    VRRP failover

    VRRP failover

    VRRP routers in a VRRP domain periodically send VRRP advertisement messages to all of the routers in the domain to maintain one router as the primary router and the others as backup routers. The primary router is the one with the highest priority. If the backup routers stop receiving these packets from the primary router, the backup router with the highest priority becomes the new primary router.

    The primary router stops sending VRRP advertisement messages if it either fails or becomes disconnected. You can also configure VRRP destination addresses that the primary router monitors. If the primary router becomes unable to connect to these destination addresses, it stops sending VRRP advertisement messages and the backup router with the highest priority becomes the primary router. You can add one or two destination addresses to a VRRP configuration. To be most effective, these destination addresses should be remote addresses.

    For example, configure IPv4 VRRP on port14 with two destination address:

    config system interface

    edit port14

    config vrrp

    edit 12

    set vrdst 10.10.10.20 10.20.20.10

    end

    Configure IPv6 VRRP on port23 with one destination address:

    config system interface

    edit port23

    config ipv6

    config vrrp6

    edit 223

    set vrdst 2001:db8:1::12

    end

    IPv4 VRRP active failover

    You can reduce IPv4 VRRP failover times with the vrdst-priority option. This option causes the primary router to actively signal to the backup routers when the primary router can't reach its configured destination address or addresses. The primary router does this by sending a lower priority for itself in the VRRP advertisement messages. You set this lower priority with the vrdst-priority option. The backup router with the highest priority becomes the new primary router and takes over processing traffic.

    The following example configures the primary router to have a priority of 255 so it should always become the primary router. The command also sets vrdst-priority to 10. So if the primary router can no longer connect to its destination address of 10.10.10.1, the primary router informs the VRRP group that its priority is now 10.

    config system interface

    edit port10

    config vrrp

    edit 12

    set vrip 10.31.101.200

    set priority 255

    set vrdst 10.10.10.1

    set vrdst-priority 10

    end

    Failover of IPv4 firewall VIPs and IP pools

    FortiOS VRRP supports failover of firewall VIPs and IP Pools when the status of a router changes. This feature introduces a new proxy ARP setting to map VIP and IP Pool address ranges to each router's Virtual MAC (VMAC). After failover, the IP ranges added to the new primary router are routed to the new primary router's VMAC.

    Use the following command to add a proxy ARP address range and a single IP address to a router added to a FortiGate`s port5 interface. The address range and single IP address should match the address range or single IP for VIPs or IP pools added to the port5 interface:

    config system interface

    edit port5

    config vrrp

    edit 1

    config proxy-arp

    edit 1

    set ip 192.168.62.100-192.168.62.200

    next

    edit 2

    set ip 192.168.62.225

    end

    Changing the advertisement message interval

    By default, VRRP advertisement messages are sent once a second. You can use the adv-interval option to change the frequency of sending these messages. The range is 1 to 255 seconds.

    The adv-interval also affects the period a backup VRRP router waits before assuming the primary router has failed. That waiting period is 3 times the adv-interval. For example, if adv-interval is 5, the backup router waits for up to 15 seconds to receive a VRRP advertisement from the current primary router before taking over the role as the primary router.

    For example, configure an IPv4 VRRP to send advertisement messages every 10 seconds:

    config system interface

    edit port14

    config vrrp

    edit 12

    set adv-interval 10

    end

    Configure IPv6 VRRP to send advertisement messages every 20 seconds:

    config system interface

    edit port23

    config ipv6

    config vrrp6

    edit 223

    set adv-interval 20

    end

    Changing the VRRP start time

    The VRRP start time is the time a backup or priamary VRRP router waits before sending or receiving VRRP advertisements and thus potentially changing state. The main visibility of this timer is when VRRP-monitored interfaces have become up after having previously been down. When this occurs the device will wait for this timer period before considering (and *potentially* changing) its status.

    The default startup time is 3 seconds and the range is 1 to 255 seconds.

    In some cases the advertisement messages may be delayed. For example, some switches with spanning tree enabled may delay some of the advertisement message packets. If you find that backup routers are attempting to become primary routers even though the primary router hasn't failed, you can extend the start time to make sure the backup routers wait long enough for the advertisement messages.

    For example, set the IPv4 VRRP startup time to 10 seconds:

    config system interface

    edit port14

    config vrrp

    edit 12

    set start-time 10

    end

    Configure set the IPv6 VRRP startup time to 15 seconds:

    config system interface

    edit port23

    config ipv6

    config vrrp6

    edit 223

    set start-time 15

    end

    Previous
    Next

    VRRP failover

    VRRP failover

    VRRP routers in a VRRP domain periodically send VRRP advertisement messages to all of the routers in the domain to maintain one router as the primary router and the others as backup routers. The primary router is the one with the highest priority. If the backup routers stop receiving these packets from the primary router, the backup router with the highest priority becomes the new primary router.

    The primary router stops sending VRRP advertisement messages if it either fails or becomes disconnected. You can also configure VRRP destination addresses that the primary router monitors. If the primary router becomes unable to connect to these destination addresses, it stops sending VRRP advertisement messages and the backup router with the highest priority becomes the primary router. You can add one or two destination addresses to a VRRP configuration. To be most effective, these destination addresses should be remote addresses.

    For example, configure IPv4 VRRP on port14 with two destination address:

    config system interface

    edit port14

    config vrrp

    edit 12

    set vrdst 10.10.10.20 10.20.20.10

    end

    Configure IPv6 VRRP on port23 with one destination address:

    config system interface

    edit port23

    config ipv6

    config vrrp6

    edit 223

    set vrdst 2001:db8:1::12

    end

    IPv4 VRRP active failover

    You can reduce IPv4 VRRP failover times with the vrdst-priority option. This option causes the primary router to actively signal to the backup routers when the primary router can't reach its configured destination address or addresses. The primary router does this by sending a lower priority for itself in the VRRP advertisement messages. You set this lower priority with the vrdst-priority option. The backup router with the highest priority becomes the new primary router and takes over processing traffic.

    The following example configures the primary router to have a priority of 255 so it should always become the primary router. The command also sets vrdst-priority to 10. So if the primary router can no longer connect to its destination address of 10.10.10.1, the primary router informs the VRRP group that its priority is now 10.

    config system interface

    edit port10

    config vrrp

    edit 12

    set vrip 10.31.101.200

    set priority 255

    set vrdst 10.10.10.1

    set vrdst-priority 10

    end

    Failover of IPv4 firewall VIPs and IP pools

    FortiOS VRRP supports failover of firewall VIPs and IP Pools when the status of a router changes. This feature introduces a new proxy ARP setting to map VIP and IP Pool address ranges to each router's Virtual MAC (VMAC). After failover, the IP ranges added to the new primary router are routed to the new primary router's VMAC.

    Use the following command to add a proxy ARP address range and a single IP address to a router added to a FortiGate`s port5 interface. The address range and single IP address should match the address range or single IP for VIPs or IP pools added to the port5 interface:

    config system interface

    edit port5

    config vrrp

    edit 1

    config proxy-arp

    edit 1

    set ip 192.168.62.100-192.168.62.200

    next

    edit 2

    set ip 192.168.62.225

    end

    Changing the advertisement message interval

    By default, VRRP advertisement messages are sent once a second. You can use the adv-interval option to change the frequency of sending these messages. The range is 1 to 255 seconds.

    The adv-interval also affects the period a backup VRRP router waits before assuming the primary router has failed. That waiting period is 3 times the adv-interval. For example, if adv-interval is 5, the backup router waits for up to 15 seconds to receive a VRRP advertisement from the current primary router before taking over the role as the primary router.

    For example, configure an IPv4 VRRP to send advertisement messages every 10 seconds:

    config system interface

    edit port14

    config vrrp

    edit 12

    set adv-interval 10

    end

    Configure IPv6 VRRP to send advertisement messages every 20 seconds:

    config system interface

    edit port23

    config ipv6

    config vrrp6

    edit 223

    set adv-interval 20

    end

    Changing the VRRP start time

    The VRRP start time is the time a backup or priamary VRRP router waits before sending or receiving VRRP advertisements and thus potentially changing state. The main visibility of this timer is when VRRP-monitored interfaces have become up after having previously been down. When this occurs the device will wait for this timer period before considering (and *potentially* changing) its status.

    The default startup time is 3 seconds and the range is 1 to 255 seconds.

    In some cases the advertisement messages may be delayed. For example, some switches with spanning tree enabled may delay some of the advertisement message packets. If you find that backup routers are attempting to become primary routers even though the primary router hasn't failed, you can extend the start time to make sure the backup routers wait long enough for the advertisement messages.

    For example, set the IPv4 VRRP startup time to 10 seconds:

    config system interface

    edit port14

    config vrrp

    edit 12

    set start-time 10

    end

    Configure set the IPv6 VRRP startup time to 15 seconds:

    config system interface

    edit port23

    config ipv6

    config vrrp6

    edit 223

    set start-time 15

    end

    Previous
    Next