Configuring link status monitoring

Link status monitoring enables the FortiMail unit to track the status of its interfaces and to bring an interface down or up based on the state of another associated interface.

Interface tracking

FortiMail units can process email before delivering it to your company’s internal mail server. In this configuration, mail comes from an external interface into the FortiMail unit. Then the mail is processed for spam, viruses and such. The mail is then forwarded over an internal interface to a company internal mail server for internal distribution.

For redundancy, companies can configure a secondary FortiMail unit that is connected to a secondary internal mail server. In this configuration the secondary FortiMail unit is normally not active with all mail going through the primary FortiMail unit. The secondary system is activated when the external interface on the primary FortiMail unit is unreachable. Mail is routed to the secondary system until the primary unit is can be reached and then the mail is delivered to the primary FortiMail unit once again. In this configuration the mail only goes to one FortiMail unit or the other – it is never divided between the two.

If the internal mail server becomes unreachable from the primary FortiMail unit’s internal interface, the primary FortiMail unit needs to stop the incoming email or the email will continue to accumulate and not be delivered.

The FortiMail unit can track the status of the internal interface. When interface tracking sees the internal interface go down, it brings down the FortiMail external interface. This stops email from accumulating on the primary FortiMail unit. If your company has the redundant secondary FortiMail unit configured, email can be routed to it until the primary FortiMail unit can be reached again. Interface tracking also brings the external interface up when the internal interface comes back up.

With interface tracking, you can set which interfaces are associated. You can also set how often interface tracking checks the status of the interfaces. This is the maximum delay before the interfaces associated with the downed interface are brought down as well.

Configuring Link Status propagation

The Propegate Link Status to Ports section of the Link Status screen shows any interfaces whose status is linked to this interface.

Linking the state of an internal link to the external link prevents an accumulation of undeliverable mail from building up on the FortiMail unit when the internal link goes down.

To configure Link Status propagation

1. Go to System > Network > Link Monitor.
2. Enter the number of seconds between checks of the Link Status. If this is set to zero, the Link Status will not propagate to the other ports.
3. Enter the number of seconds to delay after a link state operation before checking the status.
4. Under Link Status, select the interface you want to propagate the status from, then click Edit for the interface.
5. In the Link Status Settings popup window, specify the ports you want to propagate the status to by moving the ports from the left box to the right box.
6. Click OK to confirm your selections and return to the Link Status screen.

Configuring static routes

The System > Network > Routing tab displays a list of routes and lets you configure static routes and gateways used by the FortiMail unit.

Static routes direct traffic exiting the FortiMail unit. You can specify through which network interface a packet will leave, and the IP address of a next-hop router that is reachable from that network interface. The router is aware of which IP addresses are reachable through various network pathways, and can forward those packets along pathways capable of reaching the packets’ ultimate destinations.

A default route is a special type of static route. A default route matches all packets, and defines a gateway router that can receive and route packets if no other, more specific static route is defined for the packet’s destination IP address.

You should configure at least one static route, a default route, that points to your gateway. However, you may configure multiple static routes if you have multiple gateway routers, each of which should receive packets destined for a different subset of IP addresses.

To determine which route a packet will be subject to, the FortiMail unit compares the packet’s destination IP address to those of the static routes and forward the packet to the route with the largest prefix match.

For example, if an SMTP server is directly attached to one of the network interfaces, but all other destinations, such as connecting clients, are located on distant networks such as the Internet, you might need to add only one route: a default route for the gateway router through which the FortiMail unit connects to the Internet.

When you add a static route through the web UI, the FortiMail unit evaluates the route to determine if it represents a different route compared to any other route already present in the list of static routes. If no route having the same destination exists in the list of static routes, the FortiMail unit adds the static route.

To access this part of the web UI, your administrator account’s:

• Domain must be System
• access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To configure static routes

1. Go to System > Network > Routing.
2. Either click New to add a route or double-click a route to modify it.

A dialog appears.

Figure 108:Configuring a static route

3. In Destination IP/netmask, enter the destination IP address and netmask of packets that will be subject to this static route.

To create a default route that will match all packets, enter 0.0.0.0/0.0.0.0.

4. Select the interface that this route applies to.
5. In Gateway, type the IP address of the next-hop router to which the FortiMail unit will forward packets subject to this static route. This router must know how to route packets to the destination IP addresses that you have specified in Destination IP/netmask. For an Internet connection, the next hop routing gateway routes traffic to the Internet.
6. Click Create.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!