Description
This article explains how to set up hardware-switch interface as port monitor on HA configuration.
Sometimes hardware-switch interface is being in used for traffic flow on internal network in FortiGate devices which are working in HA cluster configuration, but this interface does not appear to be selected as port monitor.
Solution
The reason why the hardware-switch interface cannot be selected as port monitor on HA is that this is normal behavior. By design the hardware-switch is used to allow multiple interfaces to be treated as a single interface.
For example, if the LAN interface in this mode has more than one interface member then if just one member turns to down and the other one keeps in up state, the LAN interface will not change to down state. It will keep in up state and HA will not trigger fail over.
Port1 and port2 are part of the hardware-switch:
FWifi01 # show sys interface ?
name name
lan static 0.0.0.0 0.0.0.0 192.168.100.99 255.255.255.0 up disable hard-switch disable enable
The workaround which can be applied is to remove a physical interface from the hardware-switch:
Go to: System -> Interface, select Hardware Switch interface “lan” > Edit
Then select one member which we want to monitor.
Remove the interface.
Delete the IP from the hardware-switch.
Press 'OK'
Configure the physical interface (previously removed) with the hardware-switch's IP and assign the objects references to the new interface.
This workaround cannot be applied to all scenarios since only one interface will be used and can be congested if traffic is really high, but in cases in which hardware-switch interface only has one member, there is not a problem.
This article explains how to set up hardware-switch interface as port monitor on HA configuration.
Sometimes hardware-switch interface is being in used for traffic flow on internal network in FortiGate devices which are working in HA cluster configuration, but this interface does not appear to be selected as port monitor.
Solution
The reason why the hardware-switch interface cannot be selected as port monitor on HA is that this is normal behavior. By design the hardware-switch is used to allow multiple interfaces to be treated as a single interface.
For example, if the LAN interface in this mode has more than one interface member then if just one member turns to down and the other one keeps in up state, the LAN interface will not change to down state. It will keep in up state and HA will not trigger fail over.
Port1 and port2 are part of the hardware-switch:
FG100D # sh sys virtual-switchIn following section port2is disconnected but port1 is up. So, hardware-switch interface remains in up state:
config system virtual-switch
edit "lan"
set physical-switch "sw0"
config port
edit "port1"
next
edit "port2"
next
end
next
end
name name
lan static 0.0.0.0 0.0.0.0 192.168.100.99 255.255.255.0 up disable hard-switch disable enable
The workaround which can be applied is to remove a physical interface from the hardware-switch:
Go to: System -> Interface, select Hardware Switch interface “lan” > Edit
Then select one member which we want to monitor.
Remove the interface.
Delete the IP from the hardware-switch.
Press 'OK'
Configure the physical interface (previously removed) with the hardware-switch's IP and assign the objects references to the new interface.
This workaround cannot be applied to all scenarios since only one interface will be used and can be congested if traffic is really high, but in cases in which hardware-switch interface only has one member, there is not a problem.
Related Articles
Technical Note: How to delete the default virtual Hardware Switch 'lan'
