Path monitoring allows you to verify connectivity to
an IP address so that the firewall can direct traffic through an
alternate route, when needed. The firewall uses ICMP pings as heartbeats to
verify that the specified IP address is reachable.
A monitoring profile allows you to specify the threshold number
of heartbeats to determine whether the IP address is reachable.
When the monitored IP address is unreachable, you can either disable
the PBF rule or specify a fail-over or wait-recover action.
Disabling the PBF rule allows the virtual router to take over the
routing decisions. When the fail-over or wait-recover action is
taken, the monitoring profile continues to monitor whether the target
IP address is reachable, and when it comes back up, the firewall
reverts back to using the original route.
The following table lists the difference in behavior for a path
monitoring failure on a new session versus an established session.
Behavior of a session
on a monitoring failure
If the rule stays
enabled when the monitored IP address is unreachable
If rule is disabled
when the monitored IP address is unreachable
For an established session
wait-recover—Continue
to use egress interface specified in the PBF rule
wait-recover—Continue
to use egress interface specified in the PBF rule
fail-over—Use path
determined by routing table (no PBF)
fail-over—Use path
determined by routing table (no PBF)
For a new session
wait-recover—Use
path determined by routing table (no PBF)
wait-recover—Check
the remaining PBF rules. If no match, use the routing table
fail-over—Use path
determined by routing table (no PBF)
fail-over—Check the
remaining PBF rules. If no match, use the routing table
