Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ahernandez_FTNT
Staff
Staff

Created on ‎03-25-2016 03:10 PM

Article Id 192633

Technical Note: Creating WAN Link-Monitor with Multiple Probe Servers

Description
Creating a WAN Link-Monitor is useful when the FortiGate has multiple redundant WAN links and the main link fails, then the FortiGate forces a failover to the next redundant WAN link to avoid impact to services. However, this configuration may cause false positives when the probe server becomes temporarily/permanently unreachable and there is nothing wrong with the Internet access itself.

Solution
Creating a WAN Link-Monitor using multiple probe servers will guarantee the Link-Monitor will take actions when a real failure with the Internet access happens, avoiding false positives caused by an specific server.

When creating the Link-Monitor, the probe servers' IP addresses must be specified separated by a comma ","

ahernandez_FD38527_tn_FD38527.jpg

The command: "diagnose system link-monitor status", can be used in order to monitor the status of each probe server. The output of this command will show the current state of each probe (alive or die) and it will provide the current status of the Link-Monitor in general:
Link Monitor: WAN-Link Status: alive Create time: Fri Mar 25 14:29:48 2016
Source interface: wan1 (26)
Gateway: 192.168.180.254
Interval: 5, Timeout 1
Fail times: 0/5
Send times: 0
  Peer: 192.168.180.254(192.168.180.254)
        Source IP(192.168.180.54)
        Route: 192.168.180.54->192.168.180.254/32, gwy(192.168.180.254)
    protocol: ping, state: alive
              Latency(recent/average): 0.13/0.21 ms Jitter: 0.17
              Recovery times(0/5)
              Continuous sending times after the first recovery time 0
              Packet sent: 145  Packet received: 145
  Peer: 10.10.10.10(10.10.10.10)
        Source IP(192.168.180.54)
        Route: 192.168.180.54->10.10.10.10/32, gwy(192.168.180.254)
    protocol: ping, state: die
              Latency(recent/average): 0.00/0.00 ms Jitter: 0.00
              Recovery times(0/5)
              Continuous sending times after the first recovery time 0
              Packet sent: 175  Packet received: 0
  Peer: 8.8.8.8(8.8.8.8)
        Source IP(192.168.180.54)
        Route: 192.168.180.54->8.8.8.8/32, gwy(192.168.180.254)
    protocol: ping, state: alive
              Latency(recent/average): 3.04/2.94 ms Jitter: 0.27
              Recovery times(0/5)
              Continuous sending times after the first recovery time 0
              Packet sent: 146  Packet received: 145

If at least one of the probe servers is in "alive" state, the Link-Monitor will consider the Internet access is still valid ("alive" in general).

14000
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.