In large Fortinet SD-WAN deployments, it may be useful to use a health-check to monitor the status of the network path used from each SD-WAN Spoke to communicate with the FortiManager and FortiAnalyzer.

Health-check example:

If the server IP used in the Health-check (see image above) is pointing to a FortiManager or FortiAnalyzer interface, it is recommended to match at least one of these 2 conditions on both devices:

• One or more admins without configured trusted hosts.
• One admin with trusted hosts configured with the network containing all Spoke interface IPs used to send monitoring pings.

If the FortiManager/FortiAnalyzer admin configuration changes for any reason and neither of these conditions matches, the device will stop replying to echo requests.

This is an expected behavior, as explained here:

FortiManager Trusted Hosts 

FortiAnalyzer Trusted Hosts 

Note that if the health-check down is used from an SD-WAN rule, the behavior of Spokes related to the traffic sent to FortiManager and FortiAnalyzer can change, because the rule will be temporarily disabled while the health-check is not OK.

If the new network path is not OK, it is possible to face different problems. For example: Policy package installation failures on FortiManager or logs not received from FortiAnalyzer.