FortiWAN WAN Link Health Detection

WAN Link Health Detection

[WAN Link Health Detection] offers you insight into the health status of WAN links. It allows you to set up specific health detection criteria against each individual WAN link in network of multiple links. FortiWAN detects the connection status of the WAN link by sending out ICMP and TCP packets to targets, and determines the connection quality with data that reports back. [WAN Link Detection] lists a few fields to fulfill. Concerning about detection packets flooding, FortiWAN determines a WAN link alive without sending detection packets if inbound traffic on the WAN link is detected. The ICMP and TCP detection packets are sent only if no inbound traffic is detected.

For a single detection via ICMP / TCP packets, FortiWAN sends a ICMP or TCP packet (defineded in “Detection Protocol”) individually to multiple targets (defined in “Ping List / TCP Connect List” and “Number of Hosts Picked out per Detection”) via a WAN link (defined in “WAN Link”). FortiWAN determines the WAN link alive if receiving response from at least one of those targets in a time period (defined in “Detection timeout in milliseconds”), otherwise this detection is consider failed (FortiWAN will not judge whether a WAN link is down by just one detection failure). No matter whether a single detection succeed, FortiWAN continues the detection after seconds (defined in “Detection Period in Second”). The WAN link is determined as down only if multiple detections fail continually (defined in “Number of Retries”). WAN link health detection monitors the WAN links status which FortiWAN’s Summary, Auto Routing, Multihoming and Statistics will refer to.

Ignore Inbound Traffic Enable [Ignore Inbound Traffic], FortiWAN will determine WAN link status only by sending ICMP and TCP packets to targets, regardless of inbound traffic on the WAN link. Disable [Ignore Inbound Traffic], FortiWAN monitors WAN links status via the mixture of inbound traffic and ICMP / TCP packets.
Detection timeout in milliseconds This indicates the timeout period for every single detection in milliseconds. If no response packets are detected during this period, the system will consider the detection failed.
WAN Link The WAN link to be configured health detection criteria to. Configure the WAN links individually by selecting them from the list.

 

WAN Link Health Detection

Detection Protocol Two protocols used to perform WAN link detection are available: ICMP and TCP.
Detection period, in seconds The time interval between ICMP or TCP packets sending for detection. The unit is second. A shorter interval configuration can detect connection condition earlier, but it consumes more bandwidth resource.
Number of hosts picked per detection The number of hosts that is picked out from Ping List or TCP Connection List for detection. When FortiWAN starts checking the link health, it will send out ICMP and TCP packets to the IP address of the hosts that has been picked out. Detection will not be performed if setting the value to zero.
Number of retries The number of times FortiWAN retries if a detection being indicated failed. Once all the retries in the number of times fail, FortiWAN claims the WAN connection fails.
Number of successful detection The number of continuously successful detections that is required for declaring a WAN link indeed available.

If this field is set to 5 and detection period is set to 3 seconds, it will require at least 15 seconds to detect an available WAN link. If Ignore Inbound Traffic is disabled, inbound traffic being detected on a WAN link will be counted to one successful detection.

In ICMP packet detection, the optional list is:

Ping List: Lists the data of hosts (Destination IP: IPv4 or IPv6) available to ping detection. Each detection sends one ping packet to the IP address of a host that has been picked out randomly from the list. The TTL (Time to Live) of the ping packet is determined by Hops and generally defined as “3”. FortiWAN takes the TTL expired message as a legal response for a ICMP detection, even the detection packet is not delivered to the destination.

Note that always employ real external IP addresses (hosts in Internet) for the Ping List, gateway and hosts in near WAN are not appropriate destinations for the detection.

In TCP packet detection, the optional list is:

TCP Connect List: Lists the data of hosts (Destination IP: IPv4 or IPv6) available to TCP connect detection. Each detection performs TCP connect test for a host that has been picked out randomly from the list, and assigns a value to the TCP port.

A WAN link is determined alive if:

l A single detection succeeds. l Value of field “Number of hosts picked per detection” is sat to zero or “Ping List / TCP Connect List” is leaved blank. l “Ignore Inbound Traffic” is disable and inbound traffic on the WAN link is detected.

A WAN link is determined down if:

  • All the detection retries fail. l No carrier signal detected (failures on cables or physical ports).

WAN Link Health Detection

  • The WAN link is disable or a sleeping backup line. l A PPPoE or DHCP WAN link which fails to get a dynamic IP address.

FortiWAN provides statistics to the WAN Link Health Detection service, see “Statistics: WAN Link Health Detection”.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.