Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

Improved link monitoring and HA failover time

When a link monitor fails, only the routes specified in the link monitor are removed from the routing table, instead of all the routes with the same interface and gateway. If no route is specified, then all of the routes are removed. Only IPv4 routes are supported.

On supported models, the HA heartbeat interval unit can be changed from the default, 100ms, to 10ms. This allows for a failover time of less than 50ms, depending on the configuration and the network.

config system ha
    set hb-interval-in-milliseconds {100ms | 10ms}
end

Route based monitoring

In this example, the FortiGate has several routes to 23.2.2.2/32 and 172.16.202.2/24, and is monitoring the link agg1 by pinging the server at 10.1.100.22. The link monitor uses the gateway 172.16.203.2.

When the link monitor fails, only the routes to the specified subnet using interface agg1 and gateway 172.16.203.2 are removed.

To configure the link monitor:
config system link-monitor
    edit "22"
        set srcintf "agg1"
        set server "10.1.100.22"
        set gateway-ip 172.16.203.2
        set route "23.2.2.2/32" "172.16.202.0/24"
    next
end
To check the results:
  1. When the link monitor is alive:

    # get router info routing-table static
    Routing table for VRF=0
    S*      0.0.0.0/0 [5/0] via 10.100.1.249, port12
    S       10.1.100.0/24 [10/0] via 172.16.203.2, agg1
    S       23.2.2.2/32 [10/0] via 172.16.203.2, agg1
    S       23.2.3.2/32 [10/0] via 172.16.203.2, agg1
    S       172.16.201.0/24 [10/0] via 172.16.200.4, port9
    S       172.16.202.0/24 [10/0] via 172.16.203.2, agg1
    S       172.16.204.0/24 [10/0] via 172.16.200.4, port9
                            [10/0] via 172.16.203.2, agg1
                            [10/0] via 172.16.206.2, vlan100, [100/0]
  2. When the link monitor is dead:

    # get router info routing-table static
    Routing table for VRF=0
    S*      0.0.0.0/0 [5/0] via 10.100.1.249, port12
    S       10.1.100.0/24 [10/0] via 172.16.203.2, agg1
    S       23.2.3.2/32 [10/0] via 172.16.203.2, agg1
    S       172.16.201.0/24 [10/0] via 172.16.200.4, port9
    S       172.16.204.0/24 [10/0] via 172.16.200.4, port9
                            [10/0] via 172.16.203.2, agg1
                            [10/0] via 172.16.206.2, vlan100, [100/0]

HA failover time

In this example, the HA heartbeat interval unit is changed from 100ms to 10ms. As the default heartbeat interval is two, this means that a heartbeat is sent every 20ms. The number of lost heartbeats that signal a failure is also changed to two. So, after two consecutive heartbeats are lost, a failover will be detected in 40ms.

To configure the HA failover:
config system ha
    set group-id 240
    set group-name "300D"
    set mode a-p
    set hbdev "port3" 50 "port5" 100
    set hb-interval 2
    set hb-interval-in-milliseconds 10ms
    set hb-lost-threshold 2
    set override enable
    set priority 200
end

Improved link monitoring and HA failover time

When a link monitor fails, only the routes specified in the link monitor are removed from the routing table, instead of all the routes with the same interface and gateway. If no route is specified, then all of the routes are removed. Only IPv4 routes are supported.

On supported models, the HA heartbeat interval unit can be changed from the default, 100ms, to 10ms. This allows for a failover time of less than 50ms, depending on the configuration and the network.

config system ha
    set hb-interval-in-milliseconds {100ms | 10ms}
end

Route based monitoring

In this example, the FortiGate has several routes to 23.2.2.2/32 and 172.16.202.2/24, and is monitoring the link agg1 by pinging the server at 10.1.100.22. The link monitor uses the gateway 172.16.203.2.

When the link monitor fails, only the routes to the specified subnet using interface agg1 and gateway 172.16.203.2 are removed.

To configure the link monitor:
config system link-monitor
    edit "22"
        set srcintf "agg1"
        set server "10.1.100.22"
        set gateway-ip 172.16.203.2
        set route "23.2.2.2/32" "172.16.202.0/24"
    next
end
To check the results:
  1. When the link monitor is alive:

    # get router info routing-table static
    Routing table for VRF=0
    S*      0.0.0.0/0 [5/0] via 10.100.1.249, port12
    S       10.1.100.0/24 [10/0] via 172.16.203.2, agg1
    S       23.2.2.2/32 [10/0] via 172.16.203.2, agg1
    S       23.2.3.2/32 [10/0] via 172.16.203.2, agg1
    S       172.16.201.0/24 [10/0] via 172.16.200.4, port9
    S       172.16.202.0/24 [10/0] via 172.16.203.2, agg1
    S       172.16.204.0/24 [10/0] via 172.16.200.4, port9
                            [10/0] via 172.16.203.2, agg1
                            [10/0] via 172.16.206.2, vlan100, [100/0]
  2. When the link monitor is dead:

    # get router info routing-table static
    Routing table for VRF=0
    S*      0.0.0.0/0 [5/0] via 10.100.1.249, port12
    S       10.1.100.0/24 [10/0] via 172.16.203.2, agg1
    S       23.2.3.2/32 [10/0] via 172.16.203.2, agg1
    S       172.16.201.0/24 [10/0] via 172.16.200.4, port9
    S       172.16.204.0/24 [10/0] via 172.16.200.4, port9
                            [10/0] via 172.16.203.2, agg1
                            [10/0] via 172.16.206.2, vlan100, [100/0]

HA failover time

In this example, the HA heartbeat interval unit is changed from 100ms to 10ms. As the default heartbeat interval is two, this means that a heartbeat is sent every 20ms. The number of lost heartbeats that signal a failure is also changed to two. So, after two consecutive heartbeats are lost, a failover will be detected in 40ms.

To configure the HA failover:
config system ha
    set group-id 240
    set group-name "300D"
    set mode a-p
    set hbdev "port3" 50 "port5" 100
    set hb-interval 2
    set hb-interval-in-milliseconds 10ms
    set hb-lost-threshold 2
    set override enable
    set priority 200
end