Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
npariyar
Staff
Staff

Created on ‎03-17-2023 12:33 AM Edited on ‎09-23-2025 04:45 AM By Community Manager

Article Id 249390

Technical Tip: Functionality of 'set update-cascade-interface' in SD-WAN

Description This article describes the functionality of 'set update-cascade-interface' when configured under 'config health-check in SD-WAN.
Scope FortiGate v7.0.0 or higher
Solution

As a first step, 'update-cascade-interface' cannot function independently and it works with fail-detect' that needs to configure under 'config system sdwan'.

 

config system sdwan
    set status enable
    set fail-detect enable <-----
    set fail-alert-interfaces "port3"<-----
    config zone
        edit "INTERNET"
    next
end


config members
    edit 3
        set interface "port7"
        set zone "INTERNET"
    next
        edit 4
            set interface "port1"
            set zone "INTERNET"
            set gateway 10.5.31.254
            set source 10.5.25.63
        next
    end


config health-check
    edit "GOOGLE_DNS"
        set server "8.8.8.8"
        set update-cascade-interface: enable <----- By default, it will be enabled.
        set members 4 3
    next
end


config service
    edit 2
        set name "INTERNET"
        set dst "all"
        set src "all"
        set priority-members 3 4
    next
end
end


In the above example, when the health check for port1 and port7 fails, FortiGate automatically shuts down the alert interface. If at least one of the members is alive (port1 or port7), FortiGate brings up the alert interface (port3).

 

i.e. if it is not possible to reach the configured 'server' at GGOGLE_DNS i.e 8.8.8.8, the port3 interface would be disabled as defined in the fail-alert interface.


This is shown in this output:

 

The status shows alive:

 

diagnose sys sdwan health-check
SPOKE3 # diagnose sys sdwan health-check
Health Check(GOOGLE_DNS):
Seq(4 port1): state(alive), packet-loss(0.000%) latency(17.164), jitter(0.032), mos(4.396), bandwidth-up(9999999), bandwidth-dw(9999934), bandwidth-bi(19999933) sla_map=0x0
Seq(3 port7): state(alive), packet-loss(0.000%) latency(17.486), jitter(0.081), mos(4.396), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x0


port3 interfaces also shows as up:

SPOKE3 # diagnose hardware deviceinfo nic port3
Name: port3
State: up
Link: up


Health-check failure:

SPOKE3 # diagnose sys sdwan health-check filter name GOOGLE_DNS
SPOKE3 # diagnose sys sdwan health-check status
Health Check(GOOGLE_DNS):
Seq(4 port1): state(dead), packet-loss(18.000%) sla_map=0x0
Seq(3 port7): state(dead), packet-loss(9.000%) sla_map=0x0


port3 interface is taken down as well:

SPOKE3 # diagnose hardware deviceinfo nic port3
Name: port3
State: down
Link: down


Note:
Verification of this can also be done via GUI under Log & reports -> Events -> SD-WAN Events
5020
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.