Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff

Created on ‎06-04-2020 10:56 AM Edited on ‎02-18-2025 07:23 AM By Moderator

Article Id 193015

Technical Tip: Functionality of 'set update-cascade-interface' under 'config health-check' in SD-WAN

Description


This article describes the functionality of 'set update-cascade-interface' when configured under 'config health-check' in SD-WAN.

When enabling Cascade Interface and configuring one or more alert interfaces, one of the following events will occur:

 

  1. FortiGate brings down the alert interfaces if all members are dead.
  2. FortiGate brings up the alert interfaces if there is at least one alive member.


Related documentation:
Configure redundant internet connections using SD-WAN (formerly virtual WAN link).

 

Scope

 

FortiGate.


Solution

 

As a first step, 'update-cascade-interface' cannot function independently and it works with fail-detect' that needs to be configured under 'config system sdwan' (before v6.4.1 under 'config system virtual-wan-link').

 

config system sdwan
    set status enable
    set fail-detect enable                    
    set fail-alert-interfaces "internal3"     
        config members
            edit 4
                set interface "wan2"
                set gateway 192.168.0.1
            next
            edit 1
                set interface "wan1"
                set gateway 192.168.0.1
            next
        end
        config health-check
            edit "8.8.8.8"
                set server "8.8.8.8"
                set update-cascade-interface enable    
                set members 4 1
            next
        end
end


In the above example, when the health check for wan1 and wan2 fails, i.e. if it is impossible to reach the configured 'server' at 8.8.8.8, the internal3 interface would be disabled as defined in the fail-alert interface. This is shown in this output:

Testing and examples:

The status shows alive:

 

diagnose sys sdwan health-check
Health Check(8.8.8.8):
Seq(4): state(alive), packet-loss(3.000%) latency(19.610), jitter(14.388) sla_map=0x0
Seq(1): state(alive), packet-loss(3.000%) latency(20.623), jitter(14.182) sla_map=0x0

 

Internal3 interfaces also show as up:

 

diagnose hardware deviceinfo nic internal3
========== Link Status ==========
Admin           :up
netdev status   :up
link_status     :Up

 

Health-check failure:

 

diagnose sys sdwan health-check 8.8.8.8
Health Check(8.8.8.8):
Seq(4): state(dead), packet-loss(85.000%) sla_map=0x0
Seq(1): state(dead), packet-loss(73.000%) sla_map=0x0

 

Internal3 interfaces are taken down as well:

 

diagnose hardware deviceinfo nic internal3
========== Link Status ==========
Admin           :down
netdev status   :N/A
link_status     :Down

 

Note:
Verification of this can also be done via GUI under Log & reports -> Events.

 

Below is a setup example where Cascade Interface may be used:

 

IMG.png

 

In this case, if both members of SD-WAN are down, port3 as the cascade interface will go down. This will make the switch consider that path as 'dead', meaning it will therefore send traffic to the other device and the internet.

Labels:
19912
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.