Description

This article describes how link monitor can disable other interface(s) when the gateway detect (link Monitor) fails and bring them up when gateway detect (link Monitor) succeeds.

Scope

FortiGate.

Solution
In this example, when wan1 gateway detection (link monitor) fails, interface port3 will be disabled.

• Wan1 is the ISP link.
• Port3 is independent interface (LAN or DMZ)

The objective is:

• When wan1 is down or the ping server is not reachable, the default route is removed and port3 will be DOWN.
• When wan1 comes up and the ping server is reachable, the default route is installed and port3 will be UP.
  

Static route (default route):

show router static
config router static
    edit 1
       set gateway 192.168.1.1
       set device "wan1"
    next
    edit 2
       set gateway 192.168.2.1
       set device "wan2"
    next
end

Link-monitor (gateway detect):

config system link-monitor
    edit "wan1-ping-server"
        set srcintf "wan1"
        set server "8.8.8.8"
        set update-cascade-interface enable         <----- Update cascade interface enable.
        set update-static-route enable              <----- Update static route enable.
    next
end

WAN1 interface configuration:

config system interface
   edit "wan1"
       set vdom "root"
       set ip 192.168.1.254 255.255.255.0
       set allowaccess ping https ssh
       set fail-detect enable                           < -- Enable fail detect
       set fail-detect-option detectserver link-down    < -- Detectserver as link-down
       set fail-alert-method link-down                  < -- Fail alert method Link-down
       set fail-alert-interfaces "port3"                < -- Independent interface port3, only non-virtual interface can be selected.
       set type physicalset role wan
       set snmp-index 1
    next
end

• Fail-detect: Activates the fail-detect feature for the interface, allowing FortiGate to monitor its status and determine if it becomes unreachable.
• Fail-detect-option detectserver link-down: Allows a Detectserver used in the firewall to check connectivity by sending pings to a specified external server. The interface is considered down with link-down settings if the physical connection is lost.
  With both options enabled, the interface will be flagged as down if either the remote server is unreachable, or the physical link goes down.
• Fail-alert-method link-down: Determines how the system generates alerts in case of failure. When set to link-down, an alert is triggered if the physical connection to the interface is lost.
• Fail-alert-interfaces: The Fail alert interface designates a specific interface to send failure notifications when a monitored interface goes down. When an interface is being monitored for failures, FortiGate can send alerts through another interface if an issue is detected.

The System Events can be monitored: When link-monitor detects link failure:
      •    Link Monitor initial state is failed, protocol: ping
      •    Static route on interface wan1 can be removed by link-monitor wan1-ping-server. Route: (192.168.1.254->8.8.8.8 ping-down)
      •    Link monitor: Interface port3 is turned down

 When link-monitor detects that the link is OK:
      •    Link Monitor initial state is OK, protocol: ping
      •    Static route on interface wan1 can be added by link-monitor wan1-ping-server. Route: (192.168.1.254->8.8.8.8 ping-up)
      •    Link monitor: Interface port3 is turned up

Routes and Interface status can be monitored during link Down and Up status as follows:

To check all active routes:

get router info routing-table all

To view the physical interface status:

get sys interface physical

To check the link-monitor status:

diag sys link-monitor status