Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
npariyar
Staff
Staff

Created on ‎03-17-2023 12:33 AM

Article Id 249390

Technical Tip: Functionality of 'set update-cascade-interface' in SD-WAN

Description This article describes the functionality of 'set update-cascade-interface' when configured under 'config health-check in SD-WAN.
Scope FortiGate v7.0.0 or higher
Solution

As a first step, 'update-cascade-interface' cannot function independently and it works with fail-detect' that needs to configure under 'config system sdwan'.

 

# config system sdwan
    set status enable
    set fail-detect enable <-----
    set fail-alert-interfaces "port3"<-----
    config zone
        edit "INTERNET"
    next
end


# config members
    edit 3
        set interface "port7"
        set zone "INTERNET"
    next
        edit 4
            set interface "port1"
            set zone "INTERNET"
            set gateway 10.5.31.254
            set source 10.5.25.63
        next
    end


# config health-check
    edit "GOOGLE_DNS"
        set server "8.8.8.8"
        set update-cascade-interface: enable <----- By default it will be enabled.
        set members 4 3
    next
end


# config service
    edit 2
        set name "INTERNET"
        set dst "all"
        set src "all"
        set priority-members 3 4
    next
end
end


In the above example, when the health check for port1 and port7 fails,

i.e. if it is not possible to reach the configured 'server' at GGOGLE_DNS i.e 8.8.8.8, the port3 interface would be disabled as defined in the fail-alert interface.


This is shown in this output:

 

The status shows alive:

 

# diagnose sys sdwan health-check
SPOKE3 # diagnose sys sdwan health-check
Health Check(GOOGLE_DNS):
Seq(4 port1): state(alive), packet-loss(0.000%) latency(17.164), jitter(0.032), mos(4.396), bandwidth-up(9999999), bandwidth-dw(9999934), bandwidth-bi(19999933) sla_map=0x0
Seq(3 port7): state(alive), packet-loss(0.000%) latency(17.486), jitter(0.081), mos(4.396), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x0


port3 interfaces also shows as up:

SPOKE3 # diagnose hardware deviceinfo nic port3
Name: port3
State: up
Link: up


Health-check failure:

SPOKE3 # diagnose sys sdwan health-check filter name GOOGLE_DNS
SPOKE3 # diagnose sys sdwan health-check status
Health Check(GOOGLE_DNS):
Seq(4 port1): state(dead), packet-loss(18.000%) sla_map=0x0
Seq(3 port7): state(dead), packet-loss(9.000%) sla_map=0x0


port3 interface is taken down as well:

SPOKE3 # diagnose hardware deviceinfo nic port3
Name: port3
State: down
Link: down


Note.
Verification of this can also be done via GUI under Log & reports -> Events -> SD-WAN Events

 

Related document:
https://docs.fortinet.com/document/fortigate/7.0.0/cli-reference/93620/config-system-sdwan
1624
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.