[Failover test] Shut down FortiGate A


This recipe is part of the process of deploying FortiGate HA for AWS. See below for the rest of the recipes in this process:

  1. Customize the CFT template
  2. Check the prerequisites
  3. Review the network failover diagram
  4. Invoke the CFT template
  5. Connect to the FortiGates
  6. [Connectivity test] Configure FortiGate firewall policy
  7. [Failover test] Shut down FortiGate A
  1. Let’s test the failover situation where FortiGate A fails to run. First, while the two FortiGate instances are running, log into FortiGate A by connecting to the front-end public IP address, which is, associated with 
  2. Let’s see if FortiGate B promotes itself to the primary when FortiGate A fails to run. On the EC2 console, shut down FortiGate A.
  3. Connect to the same public front-end IP address,, by refreshing the browser. You have now successfully logged into FortiGate B, not FortiGate A, since the secondary IP address has moved to FortiGate B’s public-facing port.
  4. Check FortiGate B’s secondary IP address in EC2 console.
  5. Check the HA status while FortiGate A is down.
  6. Once FortiGate A comes back online, it runs as the secondary. It takes time for the HA to settle and the synchronization to function, as indicated by the green checkmarks.