Fortinet black logo

New Features

Enable or disable updating policy routes when link health monitor fails 7.0.1

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:81096
Download PDF

Enable or disable updating policy routes when link health monitor fails 7.0.1

An option has been added to toggle between enabling or disabling policy route updates when a link health monitor fails. By disabling policy route updates, a link health monitor failure will not cause corresponding policy-based routes to be removed.

config system link-monitor
    edit <name>
        set update-policy-route {enable | disable}
    next
end

Example

In the following topology, the FortiGate is monitoring the detect server, 10.1.100.22. The FortiGate has a policy-based route to destination 172.16.205.10 using the same gateway (172.16.202.1) and interface (port22). By configuring update-policy-route disable, the policy-based route is not removed when the link health monitor detects a failure.

To disable updating policy routes when the link health monitor fails:
  1. Configure the link health monitor:
    config system link-monitor
        edit "test-1"
            set srcintf "port22"
            set server "10.1.100.22"
            set gateway-ip 172.16.202.1
            set failtime 3
            set update-policy-route disable
        next
    end
  2. Configure the policy route:
    config router policy
        edit 1
            set input-device "port16"
            set dst "172.16.205.10/255.255.255.255"
            set gateway 172.16.202.1
            set output-device "port22"
            set tos 0x14
            set tos-mask 0xff
        next
    end
  3. When the health link monitor status is up, verify that the policy route is active.
    1. Verify the link health monitor status:
      # diagnose sys link-monitor status
      Link Monitor: test-1, Status: alive, Server num(1), HA state: local(alive), shared(alive)
      Flags=0x1 init, Create time: Fri May 28 15:20:15 2021
      Source interface: port22 (14)
      Gateway: 172.16.202.1
      Interval: 500 ms
      Service-detect: disable
      Diffservcode: 000000
      Class-ID: 0
        Peer: 10.1.100.22(10.1.100.22)
              Source IP(172.16.202.2)
              Route: 172.16.202.2->10.1.100.22/32, gwy(172.16.202.1)
              protocol: ping, state: alive
                      Latency(Min/Max/Avg): 0.374/0.625/0.510 ms
                      Jitter(Min/Max/Avg): 0.008/0.182/0.074
                      Packet lost: 0.000%
                      Number of out-of-sequence packets: 0
                      Fail Times(0/3)
                      Packet sent: 7209, received: 3400, Sequence(sent/rcvd/exp): 7210/7210/7211
    2. Verify the policy route list:
      # diagnose firewall proute  list
      list route policy info(vf=root):
      id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x14 tos_mask=0xff protocol=0 sport=0-0 iif=41 dport=0-65535 oif=14(port22) gwy=172.16.202.1
      source wildcard(1): 0.0.0.0/0.0.0.0
      destination wildcard(1): 172.16.205.10/255.255.255.255
      hit_count=1 last_used=2021-05-27 23:04:33
  4. When the health link monitor status is down, verify that the policy route is active:
    1. Verify the link health monitor status:
      # diagnose sys link-monitor status
      Link Monitor: test-1, Status: die, Server num(1), HA state: local(die), shared(die)
      Flags=0x9 init log_downgateway, Create time: Fri May 28 15:20:15 2021
      Source interface: port22 (14)
      Gateway: 172.16.202.1
      Interval: 500 ms
      Service-detect: disable
      Diffservcode: 000000
      Class-ID: 0
        Peer: 10.1.100.22(10.1.100.22)
              Source IP(172.16.202.2)
              Route: 172.16.202.2->10.1.100.22/32, gwy(172.16.202.1)
              protocol: ping, state: die
                      Packet lost: 11.000%
                      Number of out-of-sequence packets: 0
                      Recovery times(0/5) Fail Times(0/3)
                      Packet sent: 7293, received: 3471, Sequence(sent/rcvd/exp): 7294/7281/7282
    2. Verify the policy route list:
      # diagnose firewall proute list
      list route policy info(vf=root):
      id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x14 tos_mask=0xff protocol=0 sport=0-0 iif=41 dport=0-65535 oif=14(port22) gwy=172.16.202.1
      source wildcard(1): 0.0.0.0/0.0.0.0
      destination wildcard(1): 172.16.205.10/255.255.255.255
      hit_count=1 last_used=2021-05-27 23:04:33

    If the update-policy-route setting is enabled, the link health monitor would be down and the policy-based route would be disabled:

    # diagnose firewall proute list
    list route policy info(vf=root):
    id=1 dscp_tag=0xff 0xff flags=0x8 disable tos=0x14 tos_mask=0xff protocol=0 sport=0-0 iif=41 dport=0-65535 oif=14(port22) gwy=172.16.202.1
    source wildcard(1): 0.0.0.0/0.0.0.0
    destination wildcard(1): 172.16.205.10/255.255.255.255
    hit_count=1 last_used=2021-05-27 23:04:33

Enable or disable updating policy routes when link health monitor fails 7.0.1

An option has been added to toggle between enabling or disabling policy route updates when a link health monitor fails. By disabling policy route updates, a link health monitor failure will not cause corresponding policy-based routes to be removed.

config system link-monitor
    edit <name>
        set update-policy-route {enable | disable}
    next
end

Example

In the following topology, the FortiGate is monitoring the detect server, 10.1.100.22. The FortiGate has a policy-based route to destination 172.16.205.10 using the same gateway (172.16.202.1) and interface (port22). By configuring update-policy-route disable, the policy-based route is not removed when the link health monitor detects a failure.

To disable updating policy routes when the link health monitor fails:
  1. Configure the link health monitor:
    config system link-monitor
        edit "test-1"
            set srcintf "port22"
            set server "10.1.100.22"
            set gateway-ip 172.16.202.1
            set failtime 3
            set update-policy-route disable
        next
    end
  2. Configure the policy route:
    config router policy
        edit 1
            set input-device "port16"
            set dst "172.16.205.10/255.255.255.255"
            set gateway 172.16.202.1
            set output-device "port22"
            set tos 0x14
            set tos-mask 0xff
        next
    end
  3. When the health link monitor status is up, verify that the policy route is active.
    1. Verify the link health monitor status:
      # diagnose sys link-monitor status
      Link Monitor: test-1, Status: alive, Server num(1), HA state: local(alive), shared(alive)
      Flags=0x1 init, Create time: Fri May 28 15:20:15 2021
      Source interface: port22 (14)
      Gateway: 172.16.202.1
      Interval: 500 ms
      Service-detect: disable
      Diffservcode: 000000
      Class-ID: 0
        Peer: 10.1.100.22(10.1.100.22)
              Source IP(172.16.202.2)
              Route: 172.16.202.2->10.1.100.22/32, gwy(172.16.202.1)
              protocol: ping, state: alive
                      Latency(Min/Max/Avg): 0.374/0.625/0.510 ms
                      Jitter(Min/Max/Avg): 0.008/0.182/0.074
                      Packet lost: 0.000%
                      Number of out-of-sequence packets: 0
                      Fail Times(0/3)
                      Packet sent: 7209, received: 3400, Sequence(sent/rcvd/exp): 7210/7210/7211
    2. Verify the policy route list:
      # diagnose firewall proute  list
      list route policy info(vf=root):
      id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x14 tos_mask=0xff protocol=0 sport=0-0 iif=41 dport=0-65535 oif=14(port22) gwy=172.16.202.1
      source wildcard(1): 0.0.0.0/0.0.0.0
      destination wildcard(1): 172.16.205.10/255.255.255.255
      hit_count=1 last_used=2021-05-27 23:04:33
  4. When the health link monitor status is down, verify that the policy route is active:
    1. Verify the link health monitor status:
      # diagnose sys link-monitor status
      Link Monitor: test-1, Status: die, Server num(1), HA state: local(die), shared(die)
      Flags=0x9 init log_downgateway, Create time: Fri May 28 15:20:15 2021
      Source interface: port22 (14)
      Gateway: 172.16.202.1
      Interval: 500 ms
      Service-detect: disable
      Diffservcode: 000000
      Class-ID: 0
        Peer: 10.1.100.22(10.1.100.22)
              Source IP(172.16.202.2)
              Route: 172.16.202.2->10.1.100.22/32, gwy(172.16.202.1)
              protocol: ping, state: die
                      Packet lost: 11.000%
                      Number of out-of-sequence packets: 0
                      Recovery times(0/5) Fail Times(0/3)
                      Packet sent: 7293, received: 3471, Sequence(sent/rcvd/exp): 7294/7281/7282
    2. Verify the policy route list:
      # diagnose firewall proute list
      list route policy info(vf=root):
      id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x14 tos_mask=0xff protocol=0 sport=0-0 iif=41 dport=0-65535 oif=14(port22) gwy=172.16.202.1
      source wildcard(1): 0.0.0.0/0.0.0.0
      destination wildcard(1): 172.16.205.10/255.255.255.255
      hit_count=1 last_used=2021-05-27 23:04:33

    If the update-policy-route setting is enabled, the link health monitor would be down and the policy-based route would be disabled:

    # diagnose firewall proute list
    list route policy info(vf=root):
    id=1 dscp_tag=0xff 0xff flags=0x8 disable tos=0x14 tos_mask=0xff protocol=0 sport=0-0 iif=41 dport=0-65535 oif=14(port22) gwy=172.16.202.1
    source wildcard(1): 0.0.0.0/0.0.0.0
    destination wildcard(1): 172.16.205.10/255.255.255.255
    hit_count=1 last_used=2021-05-27 23:04:33