What are some of the different ways failover can occur on FortiGates?
Examples of failover types
💡
This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.
In the past few articles, I've been writing about high availability mechanics and protocol negotiation. Taking a step back though, I think it's important to describe the actual conditions where failover can occur (and what the FortiGate is looking for).
Here are popular conditions/situations that would trigger HA failover:
- Device failover - This is a situation where an entire primary firewall appears to be unresponsive (hello packets are not returned).
- Link failover - This is a situation where a monitored link (or multiple monitored links) are showing as down on a primary unit.
- Remote link failover - In this situation, the Fortigate unit is expecting a response from a remote party and not getting it (effectively a link-state failure similar to SD-WAN performance SLA checks).
- Memory-based failure - In this case, memory utilization exceed a certain threshold specified by the admin. An example here would be a DoS attack targeting a firewall and exhausting resources.
- SSD failover - This one is pretty straight-forward and indicates an error/issue with the local ext-fs file system on a SSD installed within the firewall.
Any of these situations can trigger failover. For more information, check out these resources:
High Availability | Administration Guide
Failover protection | Administration Guide
