Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rvdlee
New Contributor

External ICMP ping on secondary passive WAN interface

We have a Fortigate 100D firewall (Fortios 5.2.x) with Dual WAN (WAN1 and WAN2 interfaces) connectivity to 2 different ISP’s. It is acting as active/passive. WAN1 is the primary WAN link (distance 10) WAN2 is our failover link (distance 20)

All is working well but we want to monitor our WAN2 link with third-party monitoring software (Paessler PRTG) Because WAN2 is passive, ICMP ping doesn’t work. This would be the simplest method for proactively monitoring the WAN2 link with other monitoring software. I want to know if there are other methods before considering FortiAnalyzer.

 

Is it possible to enable ICMP ping to a passive WAN2 link? Are there other methods to achieve proactive alerting (e.g. e-mail, snmp) when a passive WAN2 interface fails?

 

What I’ve learned so far:

[ul]
  • I’ve been using dead gateway detection/link monitor. It writes a message to the Fortigate event log when an event happens, but I can’t extract this specific log alert with SNMP or receive an alert with alert e-mail. So I have to manually check the Fortigate log
  • SNMP events are limited to specific SNMP events categories, same goes for Alert e-mail. I can’t find options for link monitor events.[/ul]
  • 1 Solution
    ede_pfau
    Esteemed Contributor III

    hi,

     

    just some thoughts:

    - for a WAN interface you need a default route. Use 2 default routes with same distance but higher priority on the backup WAN. ("priority" in FOS means "cost".) This way, both routes are active in the Routing monitor and should enable reply traffic.

    That is, if a passive cluster member answers to incoming traffic at all. This might well not be the case!

     

    - regarding SNMP

    how do you know that the slave unit logs an event in case it's WAN link goes down? Do you access the slave via it's mgmt interface? If so, and this is preferable, it could be possible to enable SNMP on that mgmt interface and to receive a trap. (I know, a lot of "if"s).


    Ede

    "Kernel panic: Aiee, killing interrupt handler!"

    View solution in original post

    Ede"Kernel panic: Aiee, killing interrupt handler!"
    1 REPLY 1
    ede_pfau
    Esteemed Contributor III

    hi,

     

    just some thoughts:

    - for a WAN interface you need a default route. Use 2 default routes with same distance but higher priority on the backup WAN. ("priority" in FOS means "cost".) This way, both routes are active in the Routing monitor and should enable reply traffic.

    That is, if a passive cluster member answers to incoming traffic at all. This might well not be the case!

     

    - regarding SNMP

    how do you know that the slave unit logs an event in case it's WAN link goes down? Do you access the slave via it's mgmt interface? If so, and this is preferable, it could be possible to enable SNMP on that mgmt interface and to receive a trap. (I know, a lot of "if"s).


    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    Ede"Kernel panic: Aiee, killing interrupt handler!"
    Labels
    Top Kudoed Authors