Technical Tip: Email alert when WAN interface went down

This article gives steps for interfaces that are not SD-WAN member. If the interface is an SD-WAN member, see 

Components:

1. Link monitor: Configure a link monitor to probe interface health.
2. Automation Trigger: Specify log event ID, and field filter.
3. Automation Action: Specify the Action taken by the FortiGate in the event of a specific event trigger.
4. Automation stitch: Bind automation trigger and stitch.

CLI configuration:

config system link-monitor

    edit "LM_wan1"

        set srcintf "wan1"

        set server "8.8.8.8" "4.2.2.2"

        set gateway-ip 198.51.100.1

        set update-static-route {enable | disable}

    next

end

Important: If the alert email would be sent over the primary WAN interface, consider how the firewall will route the traffic for the alert email when the Link Monitor fails. To force the FortiGate to use a different interface for sending the email, 'set update-static-route enable' should be set in Link Monitor configuration to disable the primary WAN route when the link monitor fails, or the email server should be configured 'set interface-specify-method specify' to always send email using the backup interface.

config system email-server

    set interface-select-method specify

    set interface "wan2"

end

Link Monitor Down:

config system automation-trigger

    edit "LM2-down_trigger"

        set event-type event-log

        set logid 22932

            config fields

                edit 1

                    set name "name"

                    set value "LM_wan1" <--- name of link monitor.

                next

                edit 2

                    set name "msg"

                    set value "Link Monitor changed state from alive to dead, protocol: ping."

                next

            end

    next

end

config system automation-action

    edit "LM2-down_email"

        set action-type email
        set email-to <email_1> ... <email_n>
        set email-subject "BR-FGT wan1 probe is DOWN"
        set minimum-interval 120 <--- To avoid email spam during link monitor flaps, it is recommended to configure a minimum-interval in seconds. Once the action has been executed, it will not execute again until the minimum-interval has passed.

    next

end

config system automation-stitch

    edit "LM2-down_stitch"

        set trigger "LM2-down_trigger"

            config actions

                edit 1

                    set action "LM2-down_email"

                    set required enable

                next

            end

    next

end

If a protocol other than 'ping' is configured on the Link Monitor, replace 'protocol: ping' in the 'msg' filter with the configured probe protocol, for example:

date=2026-03-12 time=22:27:10 eventtime=1773379630148724640 tz="-0700" logid="0100022932" type="event" subtype="system" level="warning" vd="root" logdesc="Link monitor status warning" name="LM_wan1" interface="wan1" probeproto="http" msg="Link Monitor changed state from alive to dead, protocol: http."

Link monitor up:

Similar configuration to 'Link Monitor Down' above, but with a different automation trigger. Note the different event ID, 22922, rather than 22932.

config system automation-trigger

    edit "LM2-up_trigger"

        set event-type event-log

        set logid 22922

            config fields

                edit 1

                    set name "name"

                    set value "LM_wan1" <--- name of link monitor.

                next

                edit 2

                    set name "msg"

                    set value "Link Monitor changed state from dead to alive, protocol: ping."

                next

            end

    next

end

Note:

See Email alerts for email server configuration steps.

GUI configuration:

Navigate to Security Fabric -> Automation -> Action and select 'Create New'.

Select 'Email':

Enter the Email address where to receive an email alert:

Select Trigger and select 'Create New':

Name the trigger and add the Link monitor status under the event:

Note that in the Field filters, the interface that will be monitored.

Link monitor changed to down:

Select 'Link monitor status warning' for event ID.

In the Field filter(s), enter the link monitor's name for 'name', and 'Link Monitor changed state from alive to dead, protocol: ping.' for 'msg'.

Note these values are case-sensitive, and the full field value must be used, including the trailing stop. For example, entering 'Link Monitor changed state from alive to dead' for the msg filter will not work, since it does not include ', protocol: ping.'.

Link monitor changed to up:

Select 'Link monitor status' for event ID.

In Field filter(s), enter the link monitor's name for 'name', and 'Link Monitor changed state from dead to alive, protocol: ping.' for 'msg'.

Select Stitch and then select 'Create new'.

Add the trigger that was created in the above steps.

Add the action (Email), which was created in the above steps.

The configuration is now complete:

Note:

'Test Automation Stitch' is greyed out for stitches triggered by an event log. Refer to this article: Technical Tip: 'Test Automation Stitch' button is greyed out when trying to test a newly created automation stitch.

When the link-monitor status changes from alive to dead, an event ID 22932 is generated by the system, which will trigger an email configured in the automation action.

diagnose sys link-monitor status

Link Monitor: LM_wan1, Status: dead, Server num(1), cfg_version=0 HA state: local(dead), shared(dead)
Flags=0x1 init, Create time: Thu Mar 12 22:34:47 2026
Source interface: wan1 (30)
VRF: 0
Gateway: 198.51.100.1
Interval: 1000 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
Transport-Group: 0
Class-ID: 0
Peer: 8.8.8.8(8.8.8.8)
Source IP(198.51.100.3)
Route: 198.51.100.3->8.8.8.8/32, gwy(198.51.100.1)
protocol: ping, state: dead
Packet lost: 31.818%
MOS: 4.388
Number of out-of-sequence packets: 0
Recovery times(0/5) Fail Times(1/5)
Packet sent: 45, received: 30, Sequence(sent/rcvd/exp): 46/39/40

Notes:

• Starting with v7.4.4, the default email server has been switched from notification.fortinet.net to fortinet-notifications.com. This default server is only available to registered devices with an active FortiCare support contract. The reply-to field in the source email is automatically updated to DoNotReply@fortinet-notifications.com for all servers, including custom ones.
• The alert mail is sent when the event is generated. Depending on the logging configuration, the event can also be viewed by navigating to Log & Reports -> System Events.
• This article is most relevant for network environments with multiple ISP connections. If the firewall is configured with a single WAN, email delivery will fail during such events because the firewall loses Internet connectivity and cannot reach the SMTP server.

To filter events based on log parameters, follow the steps in this article:
Technical Tip: Filtering automation stitch triggers for FortiGate events based on log parameters

Related documents:

• Technical Tip: How to enable the email alerts when the Interface is down and up
• Troubleshooting Tip: Alert mail queries
• Technical Tip: How to configure alert email settings
• Technical Tip: Link-Monitor Explained
• 22932 - LOG_ID_EVENT_LINK_MONITOR_STATUS_WARNING