Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fquerzo_FTNT
Staff
Staff

Created on ‎06-25-2021 01:13 AM Edited on ‎10-11-2023 09:17 PM By Community Manager

Article Id 190139

Technical Tip: Selective route removal using link monitor

Description


From FortiOS 7.0 onwards, it is possible to remove selective routes from routing table when link monitor fails such that when a link monitor fails, only the routes specified in the link monitor are removed from the routing table, instead of all the routes with the same interface and gateway.

If no route is specified, then all of the routes are removed.
This selective route removal is supported only for IPV4 routes.

 

Scope

 

FortiGate.

Solution


Link monitor setup:

 

 config system link-monitor
    edit "link-test"
        set srcintf "port26"
        set server "150.2.1.1"
        set gateway-ip 10.220.4.72
        set route "150.2.0.0/16"  <----- Route affected when link monitor fails.
    next
end

 

When link monitor is alive:

 

diag sys link-monitor status
Link Monitor: link-test, Status: alive, Server num(1), Flags=0x1 init, Create time: Thu Jun 24 20:46:10 2021
Source interface: port26 (38)
Gateway: 10.220.4.72
Monitor subnet(1): 150.2.0.0/16
Interval: 500 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
  Peer: 150.2.1.1(150.2.1.1)
        Source IP(10.220.1.15)
        Route: 10.220.1.15->150.2.1.1/32, gwy(10.220.4.72)
        protocol: ping, state: alive
                Latency(Min/Max/Avg): 0.277/0.407/0.323 ms
                Jitter(Min/Max/Avg): 0.000/0.102/0.035
                Packet lost: 0.000%
                Number of out-of-sequence packets: 0
                Fail Times(0/5)
                Packet sent: 15, received: 15, Sequence(sent/rcvd/exp): 16/16/17

FGT # get router info routing-table all
Routing table for VRF=0
S       10.16.0.0/16 [10/0] via 10.220.4.72, port26
C       10.109.16.0/20 is directly connected, mgmt1
C       10.109.48.0/20 is directly connected, port1
C       10.220.0.0/20 is directly connected, port26
S       150.2.0.0/16 [10/0] via 10.220.4.72, port26      <----- Route active.
S       194.138.39.16/29 [10/0] via 10.220.4.72, port26

 

When the link monitor fails:

 

FGT2 # diag sys link-monitor status
Link Monitor: link-test, Status: die, Server num(1), Flags=0x9 init log_downgateway, Create time: Thu Jun 24 20:46:10 2021
Source interface: port26 (38)
Gateway: 10.220.4.72
Monitor subnet(1): 150.2.0.0/16
Interval: 500 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
  Peer: 150.2.1.1(150.2.1.1)
        Source IP(10.220.1.15)
        Route: 10.220.1.15->150.2.1.1/32, gwy(10.220.4.72)
        protocol: ping, state: die
                Packet lost: 26.437%
                Number of out-of-sequence packets: 0
                Recovery times(0/5) Fail Times(2/5)
                Packet sent: 88, received: 75, Sequence(sent/rcvd/exp): 89/76/77

FGT2 # get router info routing-table  all
Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 10.109.63.254, port1
S       10.16.0.0/16 [10/0] via 10.220.4.72, port26
C       10.109.16.0/20 is directly connected, mgmt1
C       10.109.48.0/20 is directly connected, port1
C       10.220.0.0/20 is directly connected, port26
S       194.138.39.16/29 [10/0] via 10.220.4.72, port26   <----- 150.2.0.0/16 route removed.

 

This solution will remove only Static routes or Policy routes, but not the Directly Connected Route.

 

Routing-Table:

 

===============

S* 0.0.0.0/0 [10/0] via 192.168.204.1, port1, [1/0]
[10/0] via 10.0.204.1, port2, [1/0]
C 10.0.204.0/24 is directly connected, port2
C 10.10.10.0/24 is directly connected, port5
C 20.20.20.0/24 is directly connected, port6
C 192.168.204.0/24 is directly connected, port1

 

Link-Monitor:

 

==================

config system link-monitor
    edit "wan1"
        set srcintf "port1"
        set server "8.8.8.8"
        set gateway-ip 192.168.204.1
        set route "10.10.10.0/24"
    next

 

Link-monitor status:

 

===============

FGVM01TM23001305 # diag sys link-monitor status

Link Monitor: wan1, Status: dead, Server num(1), HA state: local(dead), shared(dead)
Flags=0x9 init log_downgateway, Create time: Wed Oct 11 17:15:56 2023
Source interface: port1 (3)
Gateway: 192.168.204.1
Monitor subnet(1): 10.10.10.0/24
Interval: 500 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
Peer: 8.8.8.8(8.8.8.8)
Source IP(192.168.204.5)
Route: 192.168.204.5->8.8.8.8/32, gwy(192.168.204.1)
protocol: ping, state: dead
Packet lost: 100.000%
Number of out-of-sequence packets: 0
Recovery times(0/5) Fail Times(1/5)
Packet sent: 2512, received: 148, Sequence(sent/rcvd/exp): 2513/341/342

 

 

Routing-table after a route directly connected as dead status:

 

===============================================

S* 0.0.0.0/0 [10/0] via 192.168.204.1, port1, [1/0]
[10/0] via 10.0.204.1, port2, [1/0]
C 10.0.204.0/24 is directly connected, port2
C 10.10.10.0/24 is directly connected, port5
C 20.20.20.0/24 is directly connected, port6
C 192.168.204.0/24 is directly connected, port1

Labels:
6022
0 Kudos
Submit Article Idea
Comments
_martin_
Staff
Staff
‎10-11-2023 05:41 PM

This solution will remove only Static routes or Policy Route, but not the Directly Connected Route.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.