Who rated this post

I solved this issue by installing keepalived on Linux. Here's my working configuration:

Configuration

/etc/keepalived/keepalived.conf

global_defs {
    router_id XXXX
    enable_script_security
    script_user root
}

# Monitor Firewall 1 via ens6f0
vrrp_script check_fw1 {
    script "/usr/bin/fping -I ens6f0 -c 2 -t 500 x.x.x.x"
    interval 3
    weight -50
    fall 2
    rise 2
}

# Monitor Firewall 2 via ens6f1
vrrp_script check_fw2 {
    script "/usr/bin/fping -I ens6f1 -c 2 -t 500 x.x.x.y"
    interval 3
    weight -30
    fall 2
    rise 2
}

vrrp_instance GW_FAILOVER {
    state MASTER
    interface ens6f0
    virtual_router_id 51
    priority 100
    advert_int 1
    
    virtual_ipaddress {
        169.254.1.1/32 dev ens6f0
    }
    
    track_script {
        check_fw1
        check_fw2
    }
    
    notify_master "/etc/keepalived/use_fw1.sh"
    notify_backup "/etc/keepalived/use_fw2.sh"
}

/etc/keepalived/use_fw1.sh

#!/bin/bash
logger -t KEEPALIVED "Using FW1  via ens6f0"
ip route replace default via x.x.x.x dev ens6f0 metric 10

/etc/keepalived/use_fw2.sh

#!/bin/bash
logger -t KEEPALIVED "Switching to FW2 via ens6f1"
ip route replace default via x.x.x.y dev ens6f1 metric 20

chmod +x /etc/keepalived/*.sh
systemctl restart keepalived

How It Works

The solution uses weighted priorities to determine failover:

• Priority 100 (initial): Both firewalls reachable → Use FW1
• Priority 70: FW2 unreachable (-30) → Stay on FW1
• Priority 50: FW1 unreachable (-50) → Switch to FW2 (BACKUP state)
• Priority 20: Both unreachable (-80) → FAULT state

When an interface goes down, the fping check automatically fails (can't ping through a down interface), triggering the appropriate failover.