Technical Tip: SD-WAN health check default aws failed command after firmware upgrade
| Description | This article describes the meaning of the SD-WAN health check default AWS failed command error shown in the config error log after upgrading to firmware v7.0.17, v7.2.11. |
| Scope | FortiGate v7.0.17, v7.2.11. |
| Solution | The aws.amazon.com in SD-WAN default health check list has been removed due to bug id 935297 (Probe server aws.amazon.com is listed in SD-WAN default health-check list). It can be found in 'Resolved issues' in:
It is expected to see the SD-WAN health check default AWS failed command when checking the config-error-log after upgrading to firmware v7.2.11, as shown in the output below:
FGT_A (global) # diagnose debug config-error-log read >>> ""next" @ root.system.sdwan.health-check.Default_AWS":failed command (error 1)
If the VDOM is configured in FortiGate, the config-error-log error message will be shown as output below:
FGT_A (global) # diagnose debug config-error-log read
Note: On October 12, 2025, Amazon Web Services (AWS) blocked HTTP probes from FortiGate devices (Based on the user-agent header) to protect its infrastructure.
After this, HTTP probes to aws.amazon.com from FortiGate devices will be blocked, and any SD-WAN Performance SLA using this Health check will fail.
Related article: |