Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
magliano
Staff
Staff

Created on ‎01-14-2026 12:27 AM Edited on ‎01-15-2026 01:42 PM By Community Manager

Article Id 426449

Technical Tip: Configuring link-monitor with route leaking in multi-VRF deployments

Description This article describes how to configure a link-monitor in a multi-VRF environment.
Scope FortiGate.
Solution
To configure a link-monitor using static routes in a multi-VRF environment with route leaking, the FortiGate must be configured to allow inter-VRF connectivity.
 
This is achieved using inter-VDOM links within a single VDOM. Inter-VDOM links are enabled using one of the following methods:

  • Configure 'single-vdom-npuvlink' (requires FortiOS v7.6.1 or later as well as NP6, NP6Lite, NP6XLite or NP7 platform):

 

config system global
    set single-vdom-npuvlink enable
end


Note: NP7Lite platforms such as FortiGate 70G do not currently support single-vdom-npuvlink. It is possible to enable it in the configuration, but the interface is not exposed. This is planned for resolution in a future v7.6 release.

  • Configure a software inter-VDOM link:

Note: software inter-VDOM links can have a performance impact, particularly in environments with heavy traffic.

config system vdom-link
edit "link-10-20-"
next
end

Configuring a vdom-link creates two interfaces with a vdom-link type:
 
config system interface
    edit "link-10-20-0"
        set vdom "root"
        set type vdom-link
        set snmp-index 20
    next
    edit "link-10-20-1"
        set vdom "root"
        set type vdom-link
        set snmp-index 21
    next
end
 
  • Configure multi-vdom mode:

 

config system global
    set vdom-mode multi-vdom
end


Note: It is not recommended to configure multi-vdom mode solely for route leaking between VRFs. However, if multi-vdom mode is already enabled, this will make the NPU inter-vdom link available, similar to if single-vdom-npuvlink is enabled.

 

Configure VRF route leaking:

Once an inter-vdom link is available, configure VRF route leaking as needed, referencing the following documentation:

 
Configuring the link monitor:
  1. Allow overlapping subnets:
This setting allows the same subnet to be configured on different interfaces. Note that this is also part of the route leaking configuration steps.
 
config system settings
    set allow-subnet-overlap enable
end
 
  1. Inter-VDOM interfaces with IP address:
Define the VDOM link interfaces and assign them to different VRFs.
Each interface must have an IP address within the same subnet.
 
config system interface
    edit "npu0_vlink0"
        set vdom "root"
        set vrf 10
        set ip 10.20.20.1 255.255.255.252
        set type physical
        set snmp-index 35
    next
    edit "npu0_vlink1"
        set vdom "root"
        set vrf 20
        set ip 10.20.20.2 255.255.255.252
        set type physical
        set snmp-index 36
    next
end
 
  1. Configure outbound firewall policy:
A firewall policy is required to allow traffic from the inter-VDOM link toward the WAN interface.
 
config firewall policy
    edit <index>
        set srcintf "npu0_vlink0"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
 
  1. Configure the link-monitor:
Once routing and policies are in place, the link-monitor can be created.
The source interface, source IP, and gateway IP must match the VRF and inter-VDOM link configuration.
 
config system link-monitor
    edit "lkmt_vrf20"
        set srcintf "npu0_vlink1"
        set server "8.8.4.4"
        set gateway-ip 10.20.20.1
        set source-ip 10.20.20.2
        set update-cascade-interface disable
        set update-static-route disable
    next
end
 
  1. Verify link-monitor status:
Use the following command to verify the operational status of the link-monitor:
 
diagnose sys link-monitor status
 
Expected output example:
 
diagnose sys link-monitor status
 
Link Monitor: 1, Status: alive, Server num(1), cfg_version=0 HA state: local(alive), shared(alive)
Flags=0x1 init, Create time: Tue Jan 13 21:25:48 2026
Source interface: npu0_vlink1 (34)
VRF: 0
Source IP: 10.20.20.2
Gateway: 10.20.20.1
Interval: 500 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
Transport-Group: 0
Class-ID: 0
  Peer: 8.8.4.4(8.8.4.4) 
        Source IP(10.20.20.2)
        Route: 10.20.20.2->8.8.4.4/32, gwy(10.20.20.1)
        protocol: ping, state: alive
                Latency(Min/Max/Avg): 7.099/7.289/7.153 ms
                Jitter(Min/Max/Avg): 0.000/0.119/0.041 ms
                Packet lost: 0.000%
                MOS: 4.401
                Number of out-of-sequence packets: 0
                Fail Times(0/5)
                Packet sent: 17203, received: 9254, Sequence(sent/rcvd/exp): 17204/17203/17204
 
Notes:
  • When using VRFs with route leaking for link monitoring, VRF 0 must not be used.
  • Link-monitor traffic is evaluated within the VRF associated with the source interface.
  • Always verify routing using get router info routing-table all.
174
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.