Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
_mribwan
Staff
Staff

Created on ‎07-15-2024 07:55 AM Edited on ‎07-15-2024 07:56 AM By Moderator

Article Id 326038

Technical Tip: Turn down/disable tunnel interface if the link monitor fails

Description

This article describes that the Link monitor by default only removes the route from the routing table. The tunnel interface will still be up and tunnel failover will not occur.

 

This article discusses using an automation stitch to disable the tunnel once the route is removed, as the fail-detect method is not available on the IPSec tunnel interface.
Scope FortiOS 7.0.x, 7.2.x, 7.4.x.
Solution
  1. Configure the link-monitor as needed. IPSec tends to have the link monitor on the peer. Refer to this documents on configuring link-monitor:
    Link monitor with route updates
    Technical Tip: Link monitor

 

In this example, it is configured as follows:

 

config system link-monitor
    edit "LM-1"
        set srcintf "port3"
        set server "172.20.151.2"
        set gateway-ip 10.80.4.185
        set route "172.16.0.0/16"
end

 

  1. Once link-monitor is configured, it will generate log id 22921 once the route is removed:

     

    Link monitor event.png 

     

  2. Create the automation trigger, and action and compile them in the stitch : 

     

GUI: Security Fabric -> Automation.

 

Automation Trigger:

Automation Trigger.png

 

Automation Trigger CLI: 

 

config system automation-trigger

    edit "Route removed"
        set event-type event-log
        set logid 22921
            config fields
                edit 1
                    set name "status" <--- Route status is down.
                    set value "down"
                next
                edit 2
                    set name "name" <--- Link-monitor name used is LM-1. This is required if there are multiple link-monitor configured.
                    set value "LM-1"
                next

            end
    next

 

Automation Action:

 

Automation Action.png

 

Automation action CLI: 

 

config system automation-action 

    edit "Disable Tunnel"
        set action-type cli-script
        set script "conf sys int
            edit \"ToCam\"
                set status down
end"
    set accprofile "super_admin"
end

 

Automation Stitch:

 

Automation Stitch.png

Automation stitch CLI : 

 

config system automation-stitch

    edit "Route removed"
        set trigger "Route removed"
            config actions
                edit 1
                    set action "Disable Tunnel"
                    set required enable
                next
            end
    next

 

Result : 

 

Screenshot 2024-07-15 223022.png

 

Tunnel disabled.png
248
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.