| Description | This article describes how to avoid an issue in communication between FortiGates, FortiManager, and FortiAnalyzer. |
| Scope | FortiGate, FortiManager, and FortiAnalyzer. |
| Solution |
In large Fortinet SD-WAN deployments, it may be useful to use a health-check to monitor the status of the network path used from each SD-WAN Spoke to communicate with the FortiManager and FortiAnalyzer.
Health-check example:
If the server IP used in the Health-check (see image above) is pointing to a FortiManager or FortiAnalyzer interface, it is recommended to match at least one of these 2 conditions on both devices:
If the FortiManager/FortiAnalyzer admin configuration changes for any reason and neither of these conditions matches, the device will stop replying to echo requests. This is an expected behavior, as explained here:
Note that if the health-check down is used from an SD-WAN rule, the behavior of Spokes related to the traffic sent to FortiManager and FortiAnalyzer can change, because the rule will be temporarily disabled while the health-check is not OK. If the new network path is not OK, it is possible to face different problems. For example: Policy package installation failures on FortiManager or logs not received from FortiAnalyzer. |
