Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmarcuccetti
Staff
Staff

Created on ‎04-12-2019 01:24 AM

Article Id 190877

Technical Tip: Bring other interfaces down when link monitor fails

Description
This article describes how link monitor can disable other interface(s) when the gateway detect (link Monitor) fails and bring them up when gateway detect (link Monitor) succeeds.

Solution
In this example, when wan1 gateway detection (link monitor) fails, interface port3 will be disabled.

- Wan1 is the ISP link.
- Port3 is independent interface (LAN or DMZ)

The objective is:

   -When wan1 is down or the ping server is not reachable, the default route is removed and port3 will be DOWN.
   -When wan1 comes up and the ping server is reachable, the default route is installed and port3 will be UP.

Static route (default route):
#show router static
config router static
    edit 1
       set gateway 192.168.1.1
       set device "wan1"
    next
    edit 2
       set gateway 192.168.2.1
       set device "wan2"
    next
end
Link-monitor (gateway detect):
config system link-monitor
    edit "wan1-ping-server"
        set srcintf "wan1"
        set server "8.8.8.8"
        set update-cascade-interface enable         < -- Update cascade interface enable
        set update-static-route enable              < -- Update static route enable
    next
end
WAN1 interface configuration:
config system interface
   edit "wan1"
       set vdom "root"
       set ip 192.168.1.254 255.255.255.0
       set allowaccess ping https ssh
       set fail-detect enable                           < -- Enable fail detect
       set fail-detect-option detectserver link-down    < -- Detectserver as link-down
       set fail-alert-method link-down                  < -- Fail alert method Link-down
       set fail-alert-interfaces "port3"                < -- Independent interface port3
       set type physicalset role wan
       set snmp-index 1
    next
end
The System Events can be monitored

  -When link-monitor detects link failure,
      •    Link Monitor initial state is failed, protocol: ping
      •    Static route on interface wan1 can be removed by link-monitor wan1-ping-server. Route: (192.168.1.254->8.8.8.8 ping-down)
      •    Link monitor: Interface port3 is turned down

   -When link-monitor detects link is OK.
      •    Link Monitor initial state is OK, protocol: ping
      •    Static route on interface wan1 can be added by link-monitor wan1-ping-server. Route: (192.168.1.254->8.8.8.8 ping-up)
      •    Link monitor: Interface port3 is turned up

Routes and Interface status can be monitored during link Down and Up status as follows:

   -To check all active routes:
# get router info routing-table all
   -To view the physical interface status:
# get sys interface physical
- To check the link-monitor status:
# diag sys link-monitor status

59783
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.