2.5.2 Ensure 'Monitor Interfaces' for High Availability Devices is Enabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Configure Interface Monitoring within High Availability settings, Interface Monitoring should be enabled on all critical interfaces.

Rationale:

With Interface Monitoring enabled on devices failover can occur if there are physical media issues or issues with the specific port that the FortiGate is connected to.

Impact:

Not configuring Interface Monitoring can directly impact services due to a failure to trigger a High Availability failover if an interface is impacted only on the primary device and it is not being monitored. Without the Interface monitoring enabled failover would be limited to hardware, system, or power faults.

Solution

To Remediate from GUI:

go to System - > HA
Under 'Monitor Interfaces' select all applicable interfaces.
select 'OK'

To Validate from CLI:

FGT1 # config system ha
FGT1 (ha) # set monitor 'port6' 'port7'
FGT1 (ha) # show ###To Review changes to monitored interfaces before applying
config system ha
set group-name 'FGT-HA'
set mode a-p
set password ENC enrwD467hJmO6j6YW/l6FEOa1YNVYdo8Z5mCcTDEKUFpOVXcNYnPBmQDGX//ViXk6TkwNH0il5aJr/fZY25lq+husndQHZVWp2LIlXmCv/n81U43nkZUWaIKvqkellGFbhv0/IHoOLzQPCsVcBbyrsgoprYMvh6w7F06+nRriBtMNQxpiTE+12xAHz7lA3EoYZzf8A==
set override disable
set monitor 'port6' 'port7'
end

Default Value:

N/A

See Also

https://workbench.cisecurity.org/files/4077