Tuning the failure threshold and probe interval, Configuring fortibridge alerts – Fortinet Version 3.0 User Manual
Page 40
FortiBridge Version 3.0 Administration Guide
40
09-30000-0163-20061109
Configuring FortiBridge alerts
Configuration and operating procedures
Figure 15: FortiGate Session list showing FortiBridge probes
This session list shows the following:
•
The FortiBridge dynamic probe IP addresses are 2.2.2.213 and 2.2.2.214.
•
IMAP probe packets (port 143) are processed by firewall policy 3.
•
FTP probe packets (port 21) are processed by firewall policy 2.
•
ping probe packets are processed by firewall policy 1.
•
SMTP packets using port 26 are processed by firewall policy 1.
Tuning the failure threshold and probe interval
If you find the FortiBridge unit failing open when the FortiGate unit has not failed
or if the FortiGate unit fails and there is an unacceptably long delay before the
FortiBridge unit fails open, you should adjust the failure threshold and probe
interval.
Failing open when the FortiGate unit has not failed indicates that you should
increase the time the FortiBridge unit waits to fail open. During startup, if the
FortiBridge unit begins sending probe packets before the FortiGate unit has
completed its start up sequence the FortiBridge unit may detect a failure and
switch to bypass mode. Also, if the FortiGate unit is processing high traffic
volumes, a fail open could occur if the FortiGate unit delays FortiBridge probe
packets. You can increase the fail open delay by increasing the failure threshold
and probe interval.
An unacceptable delay before failing open means network traffic can be
interrupted for the time period between when the FortiGate unit fails and the
FortiBridge unit fails open. You can minimize the delay by reducing the failure
threshold and probe interval.
Configuring FortiBridge alerts
Configure FortiBridge alerts so that the alertemail, syslog, and snmp actions
on failure cause the FortiBridge unit to notify system administrators that the
FortiGate unit has failed. Until you configure alert email, syslog, and SNMP alerts,
the FortiBridge cannot notify system administrators of a FortiGate failure.
You can configure the following FortiBridge alerts:
•
•
•