Enable or disable updating policy routes when link health monitor fails 7.0.1
An option has been added to toggle between enabling or disabling policy route updates when a link health monitor fails. By disabling policy route updates, a link health monitor failure will not cause corresponding policy-based routes to be removed.
config system link-monitor edit <name> set update-policy-route {enable | disable} next end
Example
In the following topology, the FortiGate is monitoring the detect server, 10.1.100.22. The FortiGate has a policy-based route to destination 172.16.205.10 using the same gateway (172.16.202.1) and interface (port22). By configuring update-policy-route disable
, the policy-based route is not removed when the link health monitor detects a failure.
To disable updating policy routes when the link health monitor fails:
- Configure the link health monitor:
config system link-monitor edit "test-1" set srcintf "port22" set server "10.1.100.22" set gateway-ip 172.16.202.1 set failtime 3 set update-policy-route disable next end
- Configure the policy route:
config router policy edit 1 set input-device "port16" set dst "172.16.205.10/255.255.255.255" set gateway 172.16.202.1 set output-device "port22" set tos 0x14 set tos-mask 0xff next end
- When the health link monitor status is up, verify that the policy route is active.
- Verify the link health monitor status:
# diagnose sys link-monitor status Link Monitor: test-1, Status: alive, Server num(1), HA state: local(alive), shared(alive) Flags=0x1 init, Create time: Fri May 28 15:20:15 2021 Source interface: port22 (14) Gateway: 172.16.202.1 Interval: 500 ms Service-detect: disable Diffservcode: 000000 Class-ID: 0 Peer: 10.1.100.22(10.1.100.22) Source IP(172.16.202.2) Route: 172.16.202.2->10.1.100.22/32, gwy(172.16.202.1) protocol: ping, state: alive Latency(Min/Max/Avg): 0.374/0.625/0.510 ms Jitter(Min/Max/Avg): 0.008/0.182/0.074 Packet lost: 0.000% Number of out-of-sequence packets: 0 Fail Times(0/3) Packet sent: 7209, received: 3400, Sequence(sent/rcvd/exp): 7210/7210/7211
- Verify the policy route list:
# diagnose firewall proute list list route policy info(vf=root): id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x14 tos_mask=0xff protocol=0 sport=0-0 iif=41 dport=0-65535 oif=14(port22) gwy=172.16.202.1 source wildcard(1): 0.0.0.0/0.0.0.0 destination wildcard(1): 172.16.205.10/255.255.255.255 hit_count=1 last_used=2021-05-27 23:04:33
- Verify the link health monitor status:
- When the health link monitor status is down, verify that the policy route is active:
- Verify the link health monitor status:
# diagnose sys link-monitor status Link Monitor: test-1, Status: die, Server num(1), HA state: local(die), shared(die) Flags=0x9 init log_downgateway, Create time: Fri May 28 15:20:15 2021 Source interface: port22 (14) Gateway: 172.16.202.1 Interval: 500 ms Service-detect: disable Diffservcode: 000000 Class-ID: 0 Peer: 10.1.100.22(10.1.100.22) Source IP(172.16.202.2) Route: 172.16.202.2->10.1.100.22/32, gwy(172.16.202.1) protocol: ping, state: die Packet lost: 11.000% Number of out-of-sequence packets: 0 Recovery times(0/5) Fail Times(0/3) Packet sent: 7293, received: 3471, Sequence(sent/rcvd/exp): 7294/7281/7282
- Verify the policy route list:
# diagnose firewall proute list list route policy info(vf=root): id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x14 tos_mask=0xff protocol=0 sport=0-0 iif=41 dport=0-65535 oif=14(port22) gwy=172.16.202.1 source wildcard(1): 0.0.0.0/0.0.0.0 destination wildcard(1): 172.16.205.10/255.255.255.255 hit_count=1 last_used=2021-05-27 23:04:33
If the
update-policy-route
setting is enabled, the link health monitor would be down and the policy-based route would be disabled:# diagnose firewall proute list list route policy info(vf=root): id=1 dscp_tag=0xff 0xff flags=0x8 disable tos=0x14 tos_mask=0xff protocol=0 sport=0-0 iif=41 dport=0-65535 oif=14(port22) gwy=172.16.202.1 source wildcard(1): 0.0.0.0/0.0.0.0 destination wildcard(1): 172.16.205.10/255.255.255.255 hit_count=1 last_used=2021-05-27 23:04:33
- Verify the link health monitor status: