FortiGate防火墙通过链路健康监控向服务器发送探测信号,根据延迟、抖动和数据包丢失等参数来评估链路质量,并展示链路的健康状况。
新版本下FortiGate只支持通过命令行来配置链路状态检查:
config system link-monitor
edit "1"
set addr-mode <ipv4 | ipv6>
set srcintf "Interface that receives the traffic to be monitored”
set server "IP address of the server(s) to be monitored."
set protocol <ping | tcp-echo | udp-echo | http | twamp>
set gateway-ip <Gateway IP address used to probe the server>
set source-ip “Source IP address used in packet to the server”
set interval “Detection interval in milliseconds (500 - 3600 * 1000 msec, default = 500)”
set probe-timeout “Time to wait before a probe packet is considered lost (500 - 5000 msec, default = 500)”
set failtime “Number of retry attempts before the server is considered down (1 - 10, default = 5)”
set recoverytime “Number of successful responses received before server is considered recovered (1 - 10, default = 5)”
set probe-count “Number of most recent probes that should be used to calculate latency and jitter (5 - 30, default = 30)”
set ha-priority “HA election priority (1 - 50)”
set update-cascade-interface “Enable/disable update cascade interface, default: enable”
set update-static-route “Enable/disable updating the static route, default: enable”
set status “Enable/disable this link monitor, default: enable”
next
end
下面列举一个简单的例子,通过FortiGate防火墙wan1口对服务器IP10.109.21.50进行探测。
config system link-monitor
edit "1"
set srcintf "wan1"
set server "10.109.21.50" //通过wan1口对服务器IP10.109.21.50进行探测
next
end
通过diagnose查询命令查看对应的状态是Alive的,这意味着Fortigate可以访问IP地址为10.109.21.50的服务器:
FGT # diagnose sys link-monitor status
Link Monitor: 1, Status: alive, Server num(1), Flags=0x1 init, Create time: Sun Jul 4 16:20:25 2021
Source interface: wan1 (3)
Interval: 500 ms
Peer: 10.109.21.50(10.109.21.50)
Source IP(10.109.16.223)
Route: 10.109.16.223->10.109.21.50/32, gwy(10.109.16.223)
protocol: ping, state: alive
Latency(Min/Max/Avg): 0.211/0.585/0.362 ms
Jitter(Min/Max/Avg): 0.006/0.298/0.098
Packet lost: 0.000%
Number of out-of-sequence packets: 0
Fail Times(0/5)
Packet sent: 1472, received: 1334, Sequence(sent/rcvd/exp): 1473/1473/1474
相应的接口路由也可以查询到:
FGT # get router info routing-table all
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.109.31.254, wan1
C 10.109.16.0/20 is directly connected, wan1
当WAN1出现故障或ping服务器不可达时,默认路由将从路由表中删除:
FGT # diagnose sys link-monitor status
Link Monitor: 1, Status: die, Server num(1), Flags=0x9 init, Create time: Sun Jul 4 16:20:25 2021
Source interface: wan1 (3)
Interval: 500 ms
Peer: 10.109.21.50(10.109.21.50)
Source IP(10.109.16.223)
Route: 10.109.16.223->10.109.21.50/32, gwy(10.109.16.223)
protocol: ping, state: die
Packet lost: 5.000%
Number of out-of-sequence packets: 0
Recovery times(0/5) Fail Times(1/5)
Packet sent: 2128, received: 1983, Sequence(sent/rcvd/exp): 2129/2122/2123
从下面的输出中可以看出,由于目标服务器不可达,默认路由已从路由表中删除:
FGT # get router info routing-table all
Routing table for VRF=0
C 10.109.16.0/20 is directly connected, wan1
当目标服务器IP恢复正常,可以正常ping通后,对应的默认路由会重新加载到路由表中。
如果为了在出现故障的时候不删除某些静态路由,可以使用以下命令。
config router static
edit 1
set link-monitor-exempt enable <----- Default is disbaled.
next
end
相关的日志内容也可以在日志报告中查看:
Log & Report -> Events -> System Events
date=2021-07-04 time=16:22:06 eventtime=1625408526938249768 tz="+0200" logid="0100022922" type="event" subtype="system" level="notice" vd="root" logdesc="Link monitor status" name="1" interface="wan1" probeproto="ping" msg="Link Monitor changed state from die to alive, protocol: ping."
date=2021-07-04 time=16:21:41 eventtime=1625408501933624821 tz="+0200" logid="0100022922" type="event" subtype="system" level="warning" vd="root" logdesc="Link monitor status" name="1" interface="wan1" probeproto="ping" msg="Link Monitor changed state from alive to die, protocol: ping."
date=2021-07-04 time=16:20:25 eventtime=1625408425881086208 tz="+0200" logid="0100022922" type="event" subtype="system" level="notice" vd="root" logdesc="Link monitor status" name="1" interface="wan1" probeproto="ping" msg="Link Monitor initial state is alive, protocol: ping"
