[Question] ISDB-based static route is not showing 'disable' flag when link-monitor detects failure

Question

Environment: FortiGate VM v7.6 Lab environment, no actual WAN connectivity

Background: I have configured static routes using Internet Service (ISDB). FortiGate internally treats these as policy-based routes. I also have a link-monitor configured with update-static-route enable, update-policy-route enable, and update-cascade-interface enable.

Expected behavior: When the link-monitor detects a failure, I expected the ISDB-based static route to appear as flags=0x8 disable in the output of diagnose firewall proute list, which is the same behavior described in the official documentation for standard policy-based routes.

Actual behavior: When I simulate a link-monitor failure, manually configured policy routes (config router policy) correctly show flags=0x8 disable as expected. However, the ISDB-based static route continues to show flags=0x0 with no change.

Output of diagnose firewall proute list after link-monitor failure:

id=2113929218(0x7e000002) static_route=2 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(1->65535) iif=0(any) path(1): oif=6(port2) gwy=192.168.254.254 source wildcard(1): 0.0.0.0/0.0.0.0 destination wildcard(1): 0.0.0.0/0.0.0.0 internet service(1): Microsoft-ICMP(327682,0,0,0) hit_count=0 rule_last_used=2026-05-25 16:43:34

I noticed this entry shows static_route=2, which suggests it is derived from a static route entry rather than a directly configured policy route.

Question: Does update-policy-route enable apply to ISDB-based static routes, or is it only supported for manually configured policy routes under config router policy? If it is not supported, is there any workaround to achieve failover behavior for ISDB-based static routes when a link-monitor failure is detected?

I have not been able to verify actual traffic behavior yet due to lab constraints, so I am currently focused on confirming whether the disable flag should appear in the proute list. Any insight would be appreciated.

msanjaypadma · Answer

Hi @sonodadesu,Could you please confirm which branch version of v7.6.x you are testing this on?I have verified in the lab environment, and it is functioning as expected with v7.6.6 FortiOS. Specifically, when the link-monitor server is unreachable, the ISDB route correctly transitions to an inactive (disabled) state.Please refer to the details below for your reference.FortiGate # dia sys link-monitor statusLink Monitor: wan1, Status: alive, Server num(1), cfg_version=0 HA state: local(alive), shared(alive)Flags=0x1 init, Create time: Thu May 28 04:30:29 2026Source interface: port1 (3)VRF: 0Gateway: 10.1.1.1Interval: 500 msService-detect: disableDiffservcode: 000000Class-ID: 0Transport-Group: 0Class-ID: 0 Peer: 8.8.8.8(8.8.8.8) Source IP(10.1.1.2) Route: 10.1.1.2->8.8.8.8/32, gwy(10.1.1.1) protocol: ping, state: alive <------------------------- Latency(Min/Max/Avg): 2.593/3.186/2.673 ms Jitter(Min/Max/Avg): 0.000/0.512/0.060 ms Packet lost: 0.000% MOS: 4.403 Number of out-of-sequence packets: 0 Fail Times(0/5) Packet sent: 16, received: 16, Sequence(sent/rcvd/exp): 17/17/18FortiGate # dia firewall proute list list route policy info(vf=root):id=2113929219(0x7e000003) static_route=3 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(1->65535) iif=0(any) path(1): oif=3(port1)source wildcard(1): 0.0.0.0/0.0.0.0 destination wildcard(1): 0.0.0.0/0.0.0.0 internet service(1): FQDN-AnyDesk-AnyDesk(4278190108,0,0,0) hit_count=0 rule_last_used=2026-05-28 04:31:20After the link-monitor server becomes unreachable, the ISDB route (proute) correctly transitions to a disabled state.FortiGate # dia sys link-monitor status Link Monitor: wan1, Status: dead, Server num(1), cfg_version=0 HA state: local(dead), shared(dead)Flags=0x9 init log_downgateway, Create time: Thu May 28 04:32:29 2026Source interface: port1 (3)VRF: 0Gateway: 10.1.1.1Interval: 500 msService-detect: disableDiffservcode: 000000Class-ID: 0Transport-Group: 0Class-ID: 0 Peer: 192.168.111.1(192.168.111.1) Source IP(10.1.1.2) Route: 10.1.1.2->192.168.111.1/32, gwy(10.1.1.1) protocol: ping, state: dead <----------------------------------- Packet lost: 100.000% MOS: 4.350 Number of out-of-sequence packets: 0 Recovery times(0/5) Fail Times(1/5) Packet sent: 7, received: 0, Sequence(sent/rcvd/exp): 8/0/0FortiGate # get router info routing-table details 0.0.0.0Routing table for VRF=0Routing entry for 0.0.0.0/0 Known via "static", distance 10, metric 0 vrf 0 10.1.1.1, via port1 inactive <----------------------------FortiGate # dia firewall proute list list route policy info(vf=root):id=2113929219(0x7e000003) static_route=3 dscp_tag=0xfc 0xfc flags=0x8 disable <------------tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(1->65535) iif=0(any) path(1): oif=3(port1)source wildcard(1): 0.0.0.0/0.0.0.0 destination wildcard(1): 0.0.0.0/0.0.0.0 internet service(1): FQDN-AnyDesk-AnyDesk(4278190108,0,0,0) hit_count=0 rule_last_used=2026-05-28 04:31:20If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.Thanks,Mayur Padma

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded