Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.0.0
    6.0.0

    VRRP groups

    VRRP groups

    If you have added VRRP routers to multiple interfaces of the same FortiGate, each of those routers will be in a different VRRP domain. If one of these routers switches to backup (for example, if it can't connect to its destination), you might want all of the routers on this FortiGate to also switch to backup. If other words, if one of the VRRP routers added to a FortiGate fails, you might want all of the VRRP routers added the FortiGate to also fail.

    However, VRRP can only check the status of the routers in a single VRRP domain and can't track the status of routers in other domains. So, if you have multiple VRRP domains on a single FortiGate, one of them can switch to backup but the others can remain operating normally.

    VRRP groups allow you to avoid this problem. You can add all of the VRRP virtual routers on the same FortiGate to a VRRP group. If one of the virtual routers in a VRRP group switches to backup, the VRRP group forces all of the other virtual routers in the same group to also switch to backup. So all VRRP traffic being processed by the FortiGate fails over to other devices in your network.

    Note

    The status of the virtual routers in a VRRP group can only change when one or more of the virtual routers in the group changes status. You cannot use a VRRP group to manually change the status of the virtual routers in the group.

    Use the following command to add two VRRP routers to a VRRP group with a group ID of 10. The VRRP group ID can be between 1 and 65535.

    config system interface

    edit port10

    config vrrp

    edit 200

    set vrip 10.31.101.200

    set priority 255

    set vrpgrp 10

    end

    end

    edit port20

    config vrrp

    edit 100

    set vrip 10.23.1.223

    set priority 20

    set vrpgrp 10

    end

    Use the following command to add two IPv6 VRRP routers to a VRRP group with a group ID of 90. The VRRP group ID can be between 1 and 65535.

    config system interface

    edit port11

    config ipv6

    set vrip6_link_local <link-local-ipv6-address>

    config vrrp6

    edit 220

    set vrip 2001:db8:1::12

    set priority 255

    set vrpgrp 90

    end

    end

    edit port12

    config ipv6

    set vrip6_link_local <link-local-ipv6-address>

    config vrrp6

    edit 220

    set vrip 2001:db8:1::14

    set priority 100

    set vrpgrp 90

    end

    Previous
    Next

    VRRP groups

    VRRP groups

    If you have added VRRP routers to multiple interfaces of the same FortiGate, each of those routers will be in a different VRRP domain. If one of these routers switches to backup (for example, if it can't connect to its destination), you might want all of the routers on this FortiGate to also switch to backup. If other words, if one of the VRRP routers added to a FortiGate fails, you might want all of the VRRP routers added the FortiGate to also fail.

    However, VRRP can only check the status of the routers in a single VRRP domain and can't track the status of routers in other domains. So, if you have multiple VRRP domains on a single FortiGate, one of them can switch to backup but the others can remain operating normally.

    VRRP groups allow you to avoid this problem. You can add all of the VRRP virtual routers on the same FortiGate to a VRRP group. If one of the virtual routers in a VRRP group switches to backup, the VRRP group forces all of the other virtual routers in the same group to also switch to backup. So all VRRP traffic being processed by the FortiGate fails over to other devices in your network.

    Note

    The status of the virtual routers in a VRRP group can only change when one or more of the virtual routers in the group changes status. You cannot use a VRRP group to manually change the status of the virtual routers in the group.

    Use the following command to add two VRRP routers to a VRRP group with a group ID of 10. The VRRP group ID can be between 1 and 65535.

    config system interface

    edit port10

    config vrrp

    edit 200

    set vrip 10.31.101.200

    set priority 255

    set vrpgrp 10

    end

    end

    edit port20

    config vrrp

    edit 100

    set vrip 10.23.1.223

    set priority 20

    set vrpgrp 10

    end

    Use the following command to add two IPv6 VRRP routers to a VRRP group with a group ID of 90. The VRRP group ID can be between 1 and 65535.

    config system interface

    edit port11

    config ipv6

    set vrip6_link_local <link-local-ipv6-address>

    config vrrp6

    edit 220

    set vrip 2001:db8:1::12

    set priority 255

    set vrpgrp 90

    end

    end

    edit port12

    config ipv6

    set vrip6_link_local <link-local-ipv6-address>

    config vrrp6

    edit 220

    set vrip 2001:db8:1::14

    set priority 100

    set vrpgrp 90

    end

    Previous
    Next