/ FortiGate

FortiWifi interface monitor and fail-over

A FortiWifi firewall can be configured as a wireless bridge as follows[n1]:

config system global
    set wireless-mode client
end

A side effect of doing this, is that the resulting wifi internal interface is always up, regardless of whether or not it is connected to the upstream wireless network. This means that if a backup interface is to be used (e.g. Mobile Broadband), the wifi interface default route will never be released and the backup one will never kick in. A less elegant solution is to use FortiOS link-monitor function in conjunction with a custom script running somewhere nearby to manipulate network routes depending on interface availability.

For example, if a wifi interface is used as a primary network link and a wan2 interface is used for backup, the following link-monitor configuration is set on the device:

config system link-monitor
    edit "wan2"
        set srcintf "wan2"
        set server "8.8.8.8" "8.8.4.4"
    next
    edit "wifi"
        set srcintf "wifi"
        set server "8.8.8.8" "8.8.4.4"
    next
end

Status check is performed for running diag sys link-monitor status wifi command and inspecting the output:

Link Monitor: wifi Status: alive Create time: Fri Mar 18 14:55:41 2016
Source interface: wifi (18)
Interval: 5, Timeout 1
Fail times: 0/5
Send times: 0
  Peer: 8.8.4.4(8.8.4.4)
        Source IP(172.16.99.11)
        Route: 172.16.99.11->8.8.4.4/32, gwy(172.16.99.254)
    protocol: ping, state: alive
              Latency(recent/average): 20.55/23.82 ms Jitter: 267.41
              Recovery times(0/5)
              Continuous sending times after the first recovery time 0
              Packet sent: 172173  Packet received: 167884
  Peer: 8.8.8.8(8.8.8.8)
        Source IP(172.16.99.11)
        Route: 172.16.99.11->8.8.8.8/32, gwy(172.16.99.254)
    protocol: ping, state: alive
              Latency(recent/average): 20.41/29.20 ms Jitter: 266.55
              Recovery times(1/5)
              Continuous sending times after the first recovery time 1
              Packet sent: 172161  Packet received: 169386

To automate this, I've written a simple Python script, which can be run on a nearby Linux host, to poll the firewall every few seconds and check the interface status. Should the primary interface go down, the script modifies the default route to send traffic to the backup interface:

usage: monitor.py [-h] --host HOST [--port PORT] [--user USER] --iface IFACE
                  --backup BACKUP --gwip GWIP

FortiGate interface monitor

optional arguments:
  -h, --help       show this help message and exit
  --host HOST      FortiGate appliance hostname or IP
  --port PORT      SSH port of the FortiGate appliance
  --user USER      FortiGate admin username
  --iface IFACE    FortiGate interface to monitor (e.g. wifi)
  --backup BACKUP  FortiGate interface to fail-over to (e.g. wan2)
  --gwip GWIP      Backup interface gateway ipaddr
Footnotes

[n1] FortiWifi Client mode (wireless bridge)

Anton Belodedenko

Anton Belodedenko

I am a jack of all trades, master of none (DevOps). My wife and I ski, snowboard and rock climb. Oh, and I like Futurama, duh!

Read More