Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
subramanis
Staff
Staff

Created on ‎05-11-2021 02:09 AM Edited on ‎11-23-2021 03:17 AM By Community Manager

Article Id 191686

Technical Tip: SD-WAN interface as HA ping server monitor interface

Description
Remote Link Monitoring can be used to detect a remote failure, either on a remote link or remote equipment, and potentially trigger a cluster fail over to avoid a traffic interruption.
The only interface defined in the link-monitor can become HA ping server monitor interface

the Link-Monitor cannot be configured for those interfaces which is part of SD-WAN members

Solution
The link monitor feature is replaced by performance SLA for SD-WAN member interfaces in 6.2 and higher version, so now the SD-WAN interfaces can now be set as HA pingserver-monitor-interface and triggers HA failover when health check interface fails.

1) Before enabling the performance SLA.

The WAN1 interface is configured as a SD-WAN member interface.

FGT-Primary # show system virtual-wan-link
# config system virtual-wan-link
    set status enable
    # config members
        edit 1
            set interface "wan1"
            set gateway 10.109.31.254
        next
    end
end

The WAN1 interface is not visible in the link-monitor configuration once it is added as a SD-WAN member.

FGT-Primary (link-monitor) # edit ISP1_Link_monitor
new entry 'ISP1_Link_monitor' added

FGT-Primary (ISP1_Link_monitor) set srcintf
<string>        <----- Input string value.
dmz(ISP2)       <----- Interface.
ha1             <----- Interface.
ha2             <----- Interface.
lan             <----- Interface.
wan2            <----- Interface.

There is no link monitor has configured so it is not possible to add any interfaces in HA pingserver-monitor-interface configuration.

GT-Primary # show system link-monitor
# config system link-monitor
end

FGT-Primary # config system ha
FGT-Primary (ha) # set pingserver-monitor-interface ?
monitor    interfaces that has ping server enabled:


2) After enabling the performance SLA.

Health check for the WAN1 interface.

FGT-Primary (ISP1_sdwan_Link_~tor) # show
# config health-check
    edit "ISP1_sdwan_Link_monitor"
        set server "8.8.8.8"
        set ha-priority 5
        set members 1
    next
end

Now the WAN1 interface can be set as HA pingserver-monitor-interface after enabling the performance SLA (health check).

FGT-Primary (ha) # set pingserver-monitor-interface?
monitor         <----- Interfaces that has ping server enabled.

wan1(ISP1)      <----- Interface.
FGT-Primary # show system ha
# config system ha
    set group-name "HA"
    set mode a-p
    set password ENC xkPVVW4xhQSLl1gkrCMGFQr6Pjj81xXl4dG82tykOXIY1fzpyM8G0Qg1LaFe0jryLAUq2cmGco8ZZPplVUYvLfBAGKK0Qsj+kVwETWvP+q0iQgkwzxU7rBA/0UKjRgvPzpM44dNUUBWBGvtptFT2ihUkC+gQTLMb6hRee3Q3Ba/jF6VDZYD1oo08z2nXYiWtwh2sdQ==
    set hbdev "ha2" 0
    set ha-mgmt-status enable
    # config ha-mgmt-interfaces
        edit 1
            set interface "mgmt"
            set gateway 10.109.63.254
        next
    end
    set override disable
    set priority 150
    set pingserver-monitor-interface "wan1"
end

Related Articles.

Technical Tip: Combining Remote Link Monitoring with FGCP cluster High Availability

HA Remote IP Monitoring

Labels:
5254
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.