FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
subramanis
Staff
Staff
Article Id 196577
Description
In a redundant interface traffic only goes over one interface at any time.
This differs from an aggregated interface where traffic goes over all interfaces for increased bandwidth.
This difference means redundant interfaces can have more robust configurations with fewer possible points of failure.
This is important in a fully-meshed HA configuration.

An interface is available to be in a redundant interface if:
- It is a physical interface and not a VLAN interface.
- It is not already part of an aggregated or redundant interface.
- It is in the same VDOM as the redundant interface.
- It does not have an IP address and is not configured for DHCP or PPPoE.
- It has no DHCP server or relay configured on it.
- It does not have any VLAN subinterfaces.
- It is not referenced in any security policy, VIP, or multicast policy.
- It is not monitored by HA.
- It is not one of the FortiGate-5000 series back plane interfaces.

When an interface is included in a redundant interface, it is not listed on the Network -> Interfaces page.
Configure the interface individually is not possible  and it is not available for inclusion in security policies, VIPs, or routing.

This article describes how to create a redundant link.


Solution
To create a redundant interface from the GUI.
1) Go to Network -> Interfaces and select 'Create New'.
2) For Interface Name, enter 'Redundant'.
3) For the Type, select 'Redundant Interface'.
4) In the physical Interface Members, select 'add interfaces' and select ports 7, 8, and 9.
5) For Addressing mode, select 'Manual'.
6) For the IP address for the port, enter 10.13.101.100/24.
7) For Administrative Access, select 'HTTPS' and 'SSH'.
8) Select 'OK'.





To create a redundant interface from the CLI.
# config system interface
    edit "Redundancy"
        set vdom "root"
        set vrf 0
        set mode static
        set dhcp-relay-service disable
        set ip 10.13.101.100 255.255.255.0
        set type redundant
        set member "port7" "port8" "port9"
        set device-identification enable
        set role lan
        set snmp-index 9
    next
end
Verification.
# diagnose netlink redundant name Redundancy
status: up
npu: y
flush: n
asic helper: y
oid: 77
ports: 2
link-up-delay: 50ms
priority-override: disable
MAC addr: 00:09:0f:09:00:20
current slave: port7                <----- Interface used for Traffic.
 
slave: port7
  link status: up
  link failure count: 0
  permanent MAC addr: 70:4c:a5:fe:eb:40
 
slave: port8
  link status: up
  link failure count: 0
  permanent MAC addr: 70:4c:a5:fe:eb:41

slave: port8
  link status: up
  link failure count: 0
  permanent MAC addr: 70:4c:a5:fe:eb:42
Note.
- priority-override: enable/disable.

- priority-override: enable: if PORT7 is down then traffic will be moved to port8 and the traffic will be moved back to
PORT7 once it's available.

- priority-override: disable: if
PORT7 is down then traffic will be moved to port8 and the traffic will not be moved back to PORT7 once it's available.

- The interface priority is the order which is configured on the Redundant interface configuration- Example: set member '
PORT7' 'PORT8' 'PORT9' <---PORT7 is the primary interface and PORT8 is the second primary interface etc

Contributors