Technical Tip: FortiGate behavior when combining FGCP monitor interface and fail-detect

1.  Fail-detect feature only works on Primary FortiGate.
2. HA takes precedence over the fail-detect feature.

Additional reference:

Fortigate FGCP monitor interface can trigger failover when the monitored interface is down Introduction to the FGCP cluster

Using FortiOS v7.0.X, failover is triggered immediately (<1 second) once the monitored interface goes down:

The fail-detect feature will detect if one interface goes down, then it will trigger corresponding fail-alert interface changes to down

Fail-detect reaction time takes around 2 seconds after interface goes down, and 1 second after interface goes up:
Technical Tip: What is the reaction time of fail-detect

Testing scenario:

• HA monitor interface port1:

config system ha

    set override disable
    set group-name "FGCP"
    set mode a-p
    set hbdev "port2" 0

    set monitor "port1"

• Fail-detect enable on port1, shutdown port3 if port1 goes down:

config system interface
    edit "port1"
        set vdom "root"
        set mode dhcp
        set allowaccess ping https ssh http fgfm
        set fail-detect enable
        set fail-alert-interfaces "port3"

Testing result:

The fail-detect feature only works on the Primary Firewall. On the secondary firewall, if port1 goes down, the corresponding fail-alert interface (port3) is still up:

HA monitor interface will run the first failover triggered if the primary firewall interface port1 goes down.
The fail-detect will not run (FG1 port3 still up), since failover is triggered first in this case:

Status on FG2 (New Primary/Active) - port1 up, port3 up:

When FG1 port1 still down, bring down FG2 port1:

• HA election triggered -> FG1 SN are larger than FG2 Failover triggered: Technical Tip: FortiGate HA Primary unit selection process when override is disabled vs enabled

FG1 becomes primary, and port3 becomes down because fail-detect is working on the primary unit: