By Manny Fernandez

May 22, 2024

FortiOS Link-Monitor Gotcha

When using link-monitor on FortiGate, there is a gotcha you may run into.  Link-monitor will allow you to ping ( although you can use any of these: ping, tcp-echo, udp-echo, http or twamp).  FortiGate will ping the server from the defined source interface and you can define how many lost pings in a particular time constitutes down and how many successful pings will be considered as up.    Lets discuss it.

FortiGate on the left is front-ending the 10.2.0.0/16 network.
It has a static route to the 10.200.0.0/16 off of the router connected to FortiGate on the right.  We want to track the 10.200.0.40 which is a server in the datacenter.
If track fails, we want to remove the route from the RIB.
We set up a link monitor on the left FortiGate to ping 10.200.0.40 from the 10.255.254.1 IP address (port1)
We want to update the routing table if it fails

Requirements

We need to continue to ping 10.1.0.0/16 from 10.2.0.0/16 and vice versa regardless of the track

config system link-monitor
    edit "SLA1"
       set srcintf "port1"
       set server "10.200.0.40"
      set source-ip 10.255.254.1
    next
end

So the above link monitor will give us the outcome we are looking for except for the requirement.  In FortiOS, if you have an interface participating in link-monitor and the link-monitor fails, that interface will be treated as down and all static routes associated with it, will be removed from the RIB.  So in this scenario above, we would lose all routes to 10.1.0.0/16 which is across the 10.255.254.0/30 subnet (WAN).

 

Thankfully, there is a way to get the required outcome as well as one that includes the tracking of the remote IP address to ensure reachability.

config system link-monitor
    edit "SLA1"
      set srcintf "port1"
      set server "10.200.0.40"
      set route "10.200.0.0/16"
      set source-ip 10.255.254.1
  next
end

In the above, modified version of link-monitor, we can see that there is an additional line, it is the set route "10.200.0.0/16" .  What this tells the FortiGate is, if you lose the ping to the server we are tracking, I want to remove the route specified in this line only.

I hope this helps you out of a bind.  It did me.

Recent posts

  • General Recon get system status # Gather helpful info... Full Story

  • Recently, I was working with a customer that had... Full Story

  • When using link-monitor on FortiGate, there is a gotcha... Full Story