Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vsahu
Staff
Staff

Created on ‎03-14-2022 02:52 AM Edited on ‎03-14-2022 03:10 AM

Article Id 206780

Technical Tip: Health Check Using DNS Probe and changing default DNS-request domain

Description

 

This article describes Health Check with Defined DNS server causing lost in Internet Connectivity.

 

An issue can appear when configuring DNS probe as a health check and using some defined DNS server rather than using a Public DNS server, causing loss of Internet connectivity.

 

Scope

 

6.4.0 Onwards.

 

Solution

 

By default FortiGate uses www.example.com as DNS-request-domain to which it probes to check if the connectivity is there or not, it is only possible tocheck or change it using CLI.

 

FW # config system sdwan
FW (sdwan) # config health-check
# show full-configuratio
# config health-chec
    edit "Performance_SLA_DNS"
        set probe-packets enable
        set addr-mode ipv4
        set system-dns enable
        set ha-priority 1
        set dns-request-domain "www.example.com" <-----
        set dns-match-ip 0.0.0.0
        set interval 500
        set probe-timeout 500
        set failtime 5
        set recoverytime 5
        set probe-count 30
        set diffservcode 000000
        set update-cascade-interface enable
        set update-static-route enable
        set sla-fail-log-period 0
        set sla-pass-log-period 0
        set threshold-warning-packetloss 0
        set threshold-alert-packetloss 0
        set threshold-warning-latency 0
        set threshold-alert-latency 0
        set threshold-warning-jitter 0
        set threshold-alert-jitter 0
        set members 2 1
        # config sl
            edit 1
                 set link-cost-factor packet-loss
                 set packetloss-threshold 10
            next
        end
    next
end  

Some DNS servers might not be able to resolve the 'www.example.com' which might cause the SLA to go down and static route pointing toward Internet will be removed from the routing table and FortiGate will lose the Internet Access.

 

--> Before changing the System DNS to Internal DNS:

 

# config system DNS
    set primary 8.8.8.8
    set secondary 208.91.112.52
end

 

DAMMAM-HQ-FW # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 172.10.10.1, port3
S 10.2.0.0/16 [1/0] via 172.10.10.1, port3
S 10.3.0.0/16 [1/0] via 172.10.10.1, port3
S 10.4.0.0/16 [1/0] via 172.10.10.1, port3
S 10.5.0.0/16 [1/0] via 172.10.10.1, port3
S 10.6.0.0/16 [1/0] via 172.10.10.1, port3
S 10.7.0.0/16 [1/0] via 172.10.10.1, port3
S 10.10.1.0/24 [1/0] via 172.10.10.1, port3
S 10.11.0.0/16 [1/0] via 172.10.10.1, port3
S 10.12.0.0/16 [1/0] via 172.10.10.1, port3
S 10.13.0.0/16 [1/0] via 172.10.10.1, port3
C 172.10.10.0/30 is directly connected, port3
C 172.10.20.0/30 is directly connected, port4
C 172.18.19.0/24 is directly connected, SAP
S 172.28.28.0/24 [1/0] via 172.10.10.1, port3
S 192.168.0.0/16 [1/0] via 172.10.10.1, port3
C 192.168.1.0/24 is directly connected, mgmt
C 10.1.20.0/23 is directly connected, FARM
C 10.1.30.0/23 is directly connected, VOIP
C 10.1.32.0/24 is directly connected, Voice
C 10.1.40.0/24 is directly connected, CONF
C 10.1.50.0/23 is directly connected, ABC
C 10.1.52.0/24 is directly connected, XYZ

 

--> After Changing the DNS to Internal DNS:


# config system DNS
   set primary 192.168.2.10
   set secondary 192.168.2.20
end


DAMMAM-HQ-FW # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0
C 10.1.20.0/23 is directly connected, FARM
C 10.1.30.0/23 is directly connected, VOIP
C 10.1.32.0/24 is directly connected, Voice
C 10.1.40.0/24 is directly connected, CONF
C 10.1.50.0/23 is directly connected, ABC
C 10.1.52.0/24 is directly connected, XYZ


DAMMAM-HQ-FW # execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
sendto failed
sendto failed
sendto failed
sendto failed
sendto failed
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

 

To resolve this issue:

 

1) It is possible to change the performance SLA DNS Server to public DNS server ex: 8.8.8.8 or use Fortiguard DNS server.

 

# config system sdwan
# config health-check
    edit "Performance_SLA_DNS"
         set server "8.8.8.8" "8.8.4.4"
         set protocol DNS
         set members 0
    next
end

 

2) Else change the DNS-request-domain to any global FQDN Ex: 'www.google.com' which the server is able to resolve.

 

# config system sdwan
# config health-check
    edit "Performance_SLA_DNS"
        set dns-request-domain "www.google.com"
    next
end

 

https://docs.fortinet.com/document/fortigate/6.4.0/new-features/600883/default-dns-performance-sla-p... 

3354
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.