Fortinet black logo

Administration Guide

Enable or disable updating policy routes when link health monitor fails

Enable or disable updating policy routes when link health monitor fails

An option has been added to toggle between enabling or disabling policy route updates when a link health monitor fails. By disabling policy route updates, a link health monitor failure will not cause corresponding policy-based routes to be removed.

config system link-monitor
    edit <name>
        set update-policy-route {enable | disable}
    next
end

Example

In the following topology, the FortiGate is monitoring the detect server, 10.1.100.22. The FortiGate has a policy-based route to destination 172.16.205.10 using the same gateway (172.16.202.1) and interface (port22). By configuring update-policy-route disable, the policy-based route is not removed when the link health monitor detects a failure.

To disable updating policy routes when the link health monitor fails:
  1. Configure the link health monitor:
    config system link-monitor
        edit "test-1"
            set srcintf "port22"
            set server "10.1.100.22"
            set gateway-ip 172.16.202.1
            set failtime 3
            set update-policy-route disable
        next
    end
  2. Configure the policy route:
    config router policy
        edit 1
            set input-device "port16"
            set dst "172.16.205.10/255.255.255.255"
            set gateway 172.16.202.1
            set output-device "port22"
            set tos 0x14
            set tos-mask 0xff
        next
    end
  3. When the health link monitor status is up, verify that the policy route is active.
    1. Verify the link health monitor status:
      # diagnose sys link-monitor status
      Link Monitor: test-1, Status: alive, Server num(1), HA state: local(alive), shared(alive)
      Flags=0x1 init, Create time: Fri May 28 15:20:15 2021
      Source interface: port22 (14)
      Gateway: 172.16.202.1
      Interval: 500 ms
      Service-detect: disable
      Diffservcode: 000000
      Class-ID: 0
        Peer: 10.1.100.22(10.1.100.22)
              Source IP(172.16.202.2)
              Route: 172.16.202.2->10.1.100.22/32, gwy(172.16.202.1)
              protocol: ping, state: alive
                      Latency(Min/Max/Avg): 0.374/0.625/0.510 ms
                      Jitter(Min/Max/Avg): 0.008/0.182/0.074
                      Packet lost: 0.000%
                      Number of out-of-sequence packets: 0
                      Fail Times(0/3)
                      Packet sent: 7209, received: 3400, Sequence(sent/rcvd/exp): 7210/7210/7211
    2. Verify the policy route list:
      # diagnose firewall proute  list
      list route policy info(vf=root):
      id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x14 tos_mask=0xff protocol=0 sport=0-0 iif=41 dport=0-65535 oif=14(port22) gwy=172.16.202.1
      source wildcard(1): 0.0.0.0/0.0.0.0
      destination wildcard(1): 172.16.205.10/255.255.255.255
      hit_count=1 last_used=2021-05-27 23:04:33
  4. When the health link monitor status is down, verify that the policy route is active:
    1. Verify the link health monitor status:
      # diagnose sys link-monitor status
      Link Monitor: test-1, Status: die, Server num(1), HA state: local(die), shared(die)
      Flags=0x9 init log_downgateway, Create time: Fri May 28 15:20:15 2021
      Source interface: port22 (14)
      Gateway: 172.16.202.1
      Interval: 500 ms
      Service-detect: disable
      Diffservcode: 000000
      Class-ID: 0
        Peer: 10.1.100.22(10.1.100.22)
              Source IP(172.16.202.2)
              Route: 172.16.202.2->10.1.100.22/32, gwy(172.16.202.1)
              protocol: ping, state: die
                      Packet lost: 11.000%
                      Number of out-of-sequence packets: 0
                      Recovery times(0/5) Fail Times(0/3)
                      Packet sent: 7293, received: 3471, Sequence(sent/rcvd/exp): 7294/7281/7282
    2. Verify the policy route list:
      # diagnose firewall proute list
      list route policy info(vf=root):
      id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x14 tos_mask=0xff protocol=0 sport=0-0 iif=41 dport=0-65535 oif=14(port22) gwy=172.16.202.1
      source wildcard(1): 0.0.0.0/0.0.0.0
      destination wildcard(1): 172.16.205.10/255.255.255.255
      hit_count=1 last_used=2021-05-27 23:04:33

    If the update-policy-route setting is enabled, the link health monitor would be down and the policy-based route would be disabled:

    # diagnose firewall proute list
    list route policy info(vf=root):
    id=1 dscp_tag=0xff 0xff flags=0x8 disable tos=0x14 tos_mask=0xff protocol=0 sport=0-0 iif=41 dport=0-65535 oif=14(port22) gwy=172.16.202.1
    source wildcard(1): 0.0.0.0/0.0.0.0
    destination wildcard(1): 172.16.205.10/255.255.255.255
    hit_count=1 last_used=2021-05-27 23:04:33

Enable or disable updating policy routes when link health monitor fails

An option has been added to toggle between enabling or disabling policy route updates when a link health monitor fails. By disabling policy route updates, a link health monitor failure will not cause corresponding policy-based routes to be removed.

config system link-monitor
    edit <name>
        set update-policy-route {enable | disable}
    next
end

Example

In the following topology, the FortiGate is monitoring the detect server, 10.1.100.22. The FortiGate has a policy-based route to destination 172.16.205.10 using the same gateway (172.16.202.1) and interface (port22). By configuring update-policy-route disable, the policy-based route is not removed when the link health monitor detects a failure.

To disable updating policy routes when the link health monitor fails:
  1. Configure the link health monitor:
    config system link-monitor
        edit "test-1"
            set srcintf "port22"
            set server "10.1.100.22"
            set gateway-ip 172.16.202.1
            set failtime 3
            set update-policy-route disable
        next
    end
  2. Configure the policy route:
    config router policy
        edit 1
            set input-device "port16"
            set dst "172.16.205.10/255.255.255.255"
            set gateway 172.16.202.1
            set output-device "port22"
            set tos 0x14
            set tos-mask 0xff
        next
    end
  3. When the health link monitor status is up, verify that the policy route is active.
    1. Verify the link health monitor status:
      # diagnose sys link-monitor status
      Link Monitor: test-1, Status: alive, Server num(1), HA state: local(alive), shared(alive)
      Flags=0x1 init, Create time: Fri May 28 15:20:15 2021
      Source interface: port22 (14)
      Gateway: 172.16.202.1
      Interval: 500 ms
      Service-detect: disable
      Diffservcode: 000000
      Class-ID: 0
        Peer: 10.1.100.22(10.1.100.22)
              Source IP(172.16.202.2)
              Route: 172.16.202.2->10.1.100.22/32, gwy(172.16.202.1)
              protocol: ping, state: alive
                      Latency(Min/Max/Avg): 0.374/0.625/0.510 ms
                      Jitter(Min/Max/Avg): 0.008/0.182/0.074
                      Packet lost: 0.000%
                      Number of out-of-sequence packets: 0
                      Fail Times(0/3)
                      Packet sent: 7209, received: 3400, Sequence(sent/rcvd/exp): 7210/7210/7211
    2. Verify the policy route list:
      # diagnose firewall proute  list
      list route policy info(vf=root):
      id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x14 tos_mask=0xff protocol=0 sport=0-0 iif=41 dport=0-65535 oif=14(port22) gwy=172.16.202.1
      source wildcard(1): 0.0.0.0/0.0.0.0
      destination wildcard(1): 172.16.205.10/255.255.255.255
      hit_count=1 last_used=2021-05-27 23:04:33
  4. When the health link monitor status is down, verify that the policy route is active:
    1. Verify the link health monitor status:
      # diagnose sys link-monitor status
      Link Monitor: test-1, Status: die, Server num(1), HA state: local(die), shared(die)
      Flags=0x9 init log_downgateway, Create time: Fri May 28 15:20:15 2021
      Source interface: port22 (14)
      Gateway: 172.16.202.1
      Interval: 500 ms
      Service-detect: disable
      Diffservcode: 000000
      Class-ID: 0
        Peer: 10.1.100.22(10.1.100.22)
              Source IP(172.16.202.2)
              Route: 172.16.202.2->10.1.100.22/32, gwy(172.16.202.1)
              protocol: ping, state: die
                      Packet lost: 11.000%
                      Number of out-of-sequence packets: 0
                      Recovery times(0/5) Fail Times(0/3)
                      Packet sent: 7293, received: 3471, Sequence(sent/rcvd/exp): 7294/7281/7282
    2. Verify the policy route list:
      # diagnose firewall proute list
      list route policy info(vf=root):
      id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x14 tos_mask=0xff protocol=0 sport=0-0 iif=41 dport=0-65535 oif=14(port22) gwy=172.16.202.1
      source wildcard(1): 0.0.0.0/0.0.0.0
      destination wildcard(1): 172.16.205.10/255.255.255.255
      hit_count=1 last_used=2021-05-27 23:04:33

    If the update-policy-route setting is enabled, the link health monitor would be down and the policy-based route would be disabled:

    # diagnose firewall proute list
    list route policy info(vf=root):
    id=1 dscp_tag=0xff 0xff flags=0x8 disable tos=0x14 tos_mask=0xff protocol=0 sport=0-0 iif=41 dport=0-65535 oif=14(port22) gwy=172.16.202.1
    source wildcard(1): 0.0.0.0/0.0.0.0
    destination wildcard(1): 172.16.205.10/255.255.255.255
    hit_count=1 last_used=2021-05-27 23:04:33