Focus

Path Monitoring for PBF

Table of Contents

Path Monitoring for PBF

Path monitoring allows you to verify connectivity to an IP address so that the firewall can direct traffic through an alternate route, when needed. The firewall uses ICMP pings as heartbeats to verify that the specified IP address is reachable.
A monitoring profile allows you to specify the threshold number of heartbeats to determine whether the IP address is reachable. When the monitored IP address is unreachable, you can either disable the PBF rule or specify a fail-over or wait-recover action. Disabling the PBF rule allows the virtual router to take over the routing decisions. When the fail-over or wait-recover action is taken, the monitoring profile continues to monitor whether the target IP address is reachable, and when it comes back up, the firewall reverts back to using the original route.
The following table lists the difference in behavior for a path monitoring failure on a new session versus an established session.
Rule Stays Enabled When Monitor Fails (disable rule is unchecked)
Rule Disabled When Monitor Fails (disable rule is checked)
wait-recoverfail-overwait-recoverfail-over
Established Sessions
Continue to use egress interface specified in PBF rule.
Continue to use egress interface specified in PBF rule.
Use path determined by routing table (no PBF).
Use path determined by routing table (no PBF).
New Sessions
Use path determined by routing table (no PBF).
Use path determined by routing table (no PBF).
Check the remaining PBF rules. If none match, use the routing table.
Check the remaining PBF rules. If none match, use the routing table.