FortiGate firewall configuration link detection link monitor and status query

FortiGate The firewall sends detection signals to the server through link health monitoring , According to the delay 、 Jitter and packet loss are used to evaluate link quality , And show the health of the link .

In the new version FortiGate Only the command line can be used to configure the link status check ：

config system link-monitor
    edit "1"
        set addr-mode <ipv4 | ipv6>
        set srcintf "Interface that receives the traffic to be monitored”
        set server "IP address of the server(s) to be monitored."
        set protocol <ping | tcp-echo | udp-echo | http | twamp>
        set gateway-ip <Gateway IP address used to probe the server>
        set source-ip “Source IP address used in packet to the server”
        set interval “Detection interval in milliseconds (500 - 3600 * 1000 msec, default = 500)”
        set probe-timeout “Time to wait before a probe packet is considered lost (500 - 5000 msec, default = 500)”
        set failtime “Number of retry attempts before the server is considered down (1 - 10, default = 5)”
        set recoverytime “Number of successful responses received before server is considered recovered (1 - 10, default = 5)”
        set probe-count “Number of most recent probes that should be used to calculate latency and jitter (5 - 30, default = 30)”
        set ha-priority “HA election priority (1 - 50)”
        set update-cascade-interface “Enable/disable update cascade interface, default: enable”
        set update-static-route “Enable/disable updating the static route, default: enable”
        set status “Enable/disable this link monitor, default: enable”
    next
end

Here is a simple example , adopt FortiGate A firewall wan1 Port to server IP10.109.21.50 To detect .
config system link-monitor   
    edit "1"
        set srcintf "wan1"
        set server "10.109.21.50"             // adopt wan1 Port to server IP10.109.21.50 To detect
    next
end

adopt diagnose The corresponding status of the query command is Alive Of , It means Fortigate You can visit IP The address is 10.109.21.50 Server for ：

FGT # diagnose sys link-monitor status

Link Monitor: 1, Status: alive, Server num(1), Flags=0x1 init, Create time: Sun Jul  4 16:20:25 2021
Source interface: wan1 (3)
Interval: 500 ms
  Peer: 10.109.21.50(10.109.21.50)
        Source IP(10.109.16.223)
        Route: 10.109.16.223->10.109.21.50/32, gwy(10.109.16.223)
        protocol: ping, state: alive
                Latency(Min/Max/Avg): 0.211/0.585/0.362 ms
                Jitter(Min/Max/Avg): 0.006/0.298/0.098
                Packet lost: 0.000%
                Number of out-of-sequence packets: 0
                Fail Times(0/5)
                Packet sent: 1472, received: 1334, Sequence(sent/rcvd/exp): 1473/1473/1474

The corresponding interface route can also be queried ：
FGT # get router info routing-table all

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 10.109.31.254, wan1
C       10.109.16.0/20 is directly connected, wan1

When WAN1 Failure or ping When the server is unreachable , The default route will be deleted from the route table ：
FGT # diagnose sys link-monitor status
Link Monitor: 1, Status: die, Server num(1), Flags=0x9 init, Create time: Sun Jul  4 16:20:25 2021
Source interface: wan1 (3)
Interval: 500 ms
  Peer: 10.109.21.50(10.109.21.50)
        Source IP(10.109.16.223)
        Route: 10.109.16.223->10.109.21.50/32, gwy(10.109.16.223)
        protocol: ping, state: die
                Packet lost: 5.000%
                Number of out-of-sequence packets: 0
                Recovery times(0/5) Fail Times(1/5)
                Packet sent: 2128, received: 1983, Sequence(sent/rcvd/exp): 2129/2122/2123

As you can see from the output below , Because the target server is unreachable , The default route has been removed from the route table ：

FGT # get router info routing-table all
Routing table for VRF=0
C       10.109.16.0/20 is directly connected, wan1

When the target server IP Back to normal , It's ok ping After communication , The corresponding default route will be reloaded into the route table .

In order not to delete some static routes in case of failure , You can use the following command .
config router static
    edit 1
        set link-monitor-exempt enable <----- Default is disbaled.
    next
end

Relevant log contents can also be viewed in the log report ：
Log & Report -> Events -> System Events

date=2021-07-04 time=16:22:06 eventtime=1625408526938249768 tz="+0200" logid="0100022922" type="event" subtype="system" level="notice" vd="root" logdesc="Link monitor status" name="1" interface="wan1" probeproto="ping" msg="Link Monitor changed state from die to alive, protocol: ping."

date=2021-07-04 time=16:21:41 eventtime=1625408501933624821 tz="+0200" logid="0100022922" type="event" subtype="system" level="warning" vd="root" logdesc="Link monitor status" name="1" interface="wan1" probeproto="ping" msg="Link Monitor changed state from alive to die, protocol: ping."

date=2021-07-04 time=16:20:25 eventtime=1625408425881086208 tz="+0200" logid="0100022922" type="event" subtype="system" level="notice" vd="root" logdesc="Link monitor status" name="1" interface="wan1" probeproto="ping" msg="Link Monitor initial state is alive, protocol: ping"