- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Note: Gateway Detect (ping server) Worki...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
Scope
Solution
This article describes how gateway detect works in FortiOS.
Scope
FortiOS v4.3, v5.0
Solution
FGT--port1-----ISP--------Ping-Server 8.8.8.8
Configuration:
FG300B-2 # show router gwdetect
config router gwdetect
edit 1
set interface "port1"
set server "8.8.8.8" <<<< Ping Server.
next
end
config router static
edit 1
set device "port1"
set gateway 172.31.19.254
next
end
FG300B-2 # show sys interface port1
config system interface
edit "port1"
set vdom "root"
set ip 172.31.16.152 255.255.252.0
set allowaccess ping https ssh http telnet fgfm
set type physical
set snmp-index 1
next
end
When the ping server is reachable, the FortiGate keeps trying to send the icmp packets and expects icmp replies. The default setting is 5 times ping packets, every 5 seconds. If there is no response after the 25th second then the gateway detect kicks in.
- Ping packets to ping server can be verified by running the sniffer
FG300B-2 # diagnose sniffer packet any 'host 8.8.8.8'
interfaces=[any]
filters=[host 8.8.8.8]
3.062208 172.31.16.152 -> 8.8.8.8: icmp: echo request <<<<<
3.115206 8.8.8.8 -> 172.31.16.152: icmp: echo reply >>>>>>
- There is route pushed in the kernel for the ping server.
FG300B-2 # diagnose ip route list | grep 8.8.8.8
tab=254 vf=0 scope=0 type=1 proto=14 prio=0 172.31.16.152/255.255.255.255/0->8.8.8.8/32 pref=0.0.0.0 gwy=172.31.19.254 dev=10(port1)
This route is always active regardless of interface down or ping server not available. The FortiGate keeps sending the ping to ping server if interface is UP or ping server is dead.
- When the ping server is dead or not reachable or interface with ping server is down, route will be disabled in the kernel database.
FG300B-2 # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
S 0.0.0.0/0 [10/0] via 172.31.19.254, port1 inactive <<<<<<<<<< Ping server is not reachable due to interface down or gateway failure.
C *> 10.120.0.0/22 is directly connected, port2
- Route in kernel for the ping server
FG300B-2 # diagnose ip route list | grep 8.8.8.8
tab=254 vf=0 scope=0 type=1 proto=14 prio=0 172.31.16.152/255.255.255.255/0->8.8.8.8/32 pref=0.0.0.0 gwy=172.31.19.254 dev=10(port1) <<< port1
- Now bring the interface up, ping server is replying
FG300B-2 # diagnose sniffer packet any 'host 8.8.8.8'
interfaces=[any]
filters=[host 8.8.8.8]
3.062208 172.31.16.152 -> 8.8.8.8: icmp: echo request
3.115206 8.8.8.8 -> 172.31.16.152: icmp: echo reply
2 packets received by filter
0 packets dropped by kernel
FG300B-2 # get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 172.31.19.254, port1 <<<<<< Route active
C 10.120.0.0/22 is directly connected, port2
C 172.31.16.0/22 is directly connected, port1
- Event logs
7 13:25:43 Ping peer: (172.31.16.152->8.8.8.8 ping-up) {----- Ping to ping server works.
8 13:25:43 Link monitor: Interface port1 was turned up {----- interface up
9 13:23:09 Performance statistics
10 13:22:48 Ping peer: (172.31.16.152->8.8.8.8 ping-down) {----- ping server not reachable
11 13:22:23 Link monitor: Interface port1 was turned down {----- interface down
Configuration:
FG300B-2 # show router gwdetect
config router gwdetect
edit 1
set interface "port1"
set server "8.8.8.8" <<<< Ping Server.
next
end
config router static
edit 1
set device "port1"
set gateway 172.31.19.254
next
end
FG300B-2 # show sys interface port1
config system interface
edit "port1"
set vdom "root"
set ip 172.31.16.152 255.255.252.0
set allowaccess ping https ssh http telnet fgfm
set type physical
set snmp-index 1
next
end
When the ping server is reachable, the FortiGate keeps trying to send the icmp packets and expects icmp replies. The default setting is 5 times ping packets, every 5 seconds. If there is no response after the 25th second then the gateway detect kicks in.
- Ping packets to ping server can be verified by running the sniffer
FG300B-2 # diagnose sniffer packet any 'host 8.8.8.8'
interfaces=[any]
filters=[host 8.8.8.8]
3.062208 172.31.16.152 -> 8.8.8.8: icmp: echo request <<<<<
3.115206 8.8.8.8 -> 172.31.16.152: icmp: echo reply >>>>>>
- There is route pushed in the kernel for the ping server.
FG300B-2 # diagnose ip route list | grep 8.8.8.8
tab=254 vf=0 scope=0 type=1 proto=14 prio=0 172.31.16.152/255.255.255.255/0->8.8.8.8/32 pref=0.0.0.0 gwy=172.31.19.254 dev=10(port1)
This route is always active regardless of interface down or ping server not available. The FortiGate keeps sending the ping to ping server if interface is UP or ping server is dead.
- When the ping server is dead or not reachable or interface with ping server is down, route will be disabled in the kernel database.
FG300B-2 # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
S 0.0.0.0/0 [10/0] via 172.31.19.254, port1 inactive <<<<<<<<<< Ping server is not reachable due to interface down or gateway failure.
C *> 10.120.0.0/22 is directly connected, port2
- Route in kernel for the ping server
FG300B-2 # diagnose ip route list | grep 8.8.8.8
tab=254 vf=0 scope=0 type=1 proto=14 prio=0 172.31.16.152/255.255.255.255/0->8.8.8.8/32 pref=0.0.0.0 gwy=172.31.19.254 dev=10(port1) <<< port1
- Now bring the interface up, ping server is replying
FG300B-2 # diagnose sniffer packet any 'host 8.8.8.8'
interfaces=[any]
filters=[host 8.8.8.8]
3.062208 172.31.16.152 -> 8.8.8.8: icmp: echo request
3.115206 8.8.8.8 -> 172.31.16.152: icmp: echo reply
2 packets received by filter
0 packets dropped by kernel
FG300B-2 # get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 172.31.19.254, port1 <<<<<< Route active
C 10.120.0.0/22 is directly connected, port2
C 172.31.16.0/22 is directly connected, port1
- Event logs
7 13:25:43 Ping peer: (172.31.16.152->8.8.8.8 ping-up) {----- Ping to ping server works.
8 13:25:43 Link monitor: Interface port1 was turned up {----- interface up
9 13:23:09 Performance statistics
10 13:22:48 Ping peer: (172.31.16.152->8.8.8.8 ping-down) {----- ping server not reachable
11 13:22:23 Link monitor: Interface port1 was turned down {----- interface down
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.