Technical Tip: Sending email alert when SD-WAN health check fails

This article gives an example of a basic health check alert when an SD-WAN health check is down. If the interface is not an SD-WAN member, see this article: Technical Tip: Email alert when WAN interface went down for a similar configuration.

To configure an SD-WAN health check, see SD-WAN performance SLA.

The automation stitch is triggered based on the following log:

date=2026-03-11 time=00:08:47 eventtime=1773212927700412660 tz="-0700" logid="0113022931" type="event" subtype="sdwan" level="warning" vd="root" logdesc="SDWAN SLA information warning" eventtype="Health Check" healthcheck="INET_PING" interface="wan1" probeproto="ping" oldvalue="alive" newvalue="dead" msg="SD-WAN health-check member changed state."

config system automation-trigger

    edit "HealthCheck1_DOWN_trigger"

        set event-type event-log
        set logid 22931

            config fields

                edit 1

                    set name "interface"
                    set value "wan1"

                next

                edit 2

                    set name "newvalue"

                    set value "dead" <--- If configuring an alert for health check recovery, use 'alive'.

                next

                edit 3

                    set name "healthcheck"

                    set value "INET_PING"

                next

            end

    next

end

In this example, a default alert email including the log is sent when the trigger activates, but a configured action could be almost any firewall operation, including a CLI script.

config system automation-action

    edit "HealthCheck1_DOWN_email"

        set action-type email
        set email-to <email_1> ... <email_n>
        set email-subject "BR-FGT wan1 probe is DOWN"

        set minimum-interval <seconds> <--- It is recommended to configure a minimum-interval to avoid alert spam in the event a health check flaps frequently.

    next

end

config system automation-stitch

    edit "HealthCheck1_DOWN_stitch"

        set trigger "HealthCheck1_DOWN_trigger"

            config actions

                edit 1

                    set action "HealthCheck1_DOWN_email"

                    set required enable

                next

            end

    next

end

Notes:

• The automation stitch above is triggered by the firewall's health check probes failing to receive a response. It does not track whether or not a link is in SLA or out of SLA.
• A similar automation trigger for health check recovery can be configured by filtering 'newvalue' for 'alive' rather than 'dead'.
• If the automation stitch is intended to trigger an alert email, an email server must also be configured. To verify if the email server can send email, test triggering the stitch by forcing a health check failure or following alertmail troubleshooting steps, see this article: Technical Tip: How to configure alert email settings.

config system email-server

    set server "fortinet-notifications.com" <--- Default remote email server.
    set port 465
    set security smtps

end

• If the firewall has no network access to the remote email server, no email will be sent. If the Performance SLA does not have 'Update static route' and the alert email would be sent over an SD-WAN link, it is recommended to configure an SD-WAN rule for the remote email server and use the interface-specify-method 'sdwan'.

config firewall address

    edit "fortinet-notifications.com"

        set type fqdn
        set allow-routing enable
        set fqdn "fortinet-notifications.com"

    next

end

config system sdwan

    config service

        edit <index>

            set name "System_Email"
            set mode priority
            set dst "fortinet-notifications.com"
            set health-check "INET_PING"
            set priority-members <member_index_1> ... <member_index_n>

        next

    end

end