Path monitoring allows you to verify connectivity to
an IP address so that the firewall can direct traffic through an
alternate route, when needed. The firewall uses ICMP pings as heartbeats to
verify that the specified IP address is reachable.
A monitoring profile allows you to specify the threshold number
of heartbeats to determine whether the IP address is reachable.
When the monitored IP address is unreachable, you can either disable
the PBF rule or specify a fail-over or wait-recover action.
Disabling the PBF rule allows the virtual router to take over the
routing decisions. When the fail-over or wait-recover action is
taken, the monitoring profile continues to monitor whether the target
IP address is reachable, and when it comes back up, the firewall
reverts back to using the original route.
The following table lists the difference in behavior for a path
monitoring failure on a new session versus an established session.
Rule Stays Enabled When Monitor Fails (disable
rule is unchecked)
Rule Disabled When Monitor Fails (disable rule
is checked)
wait-recover
fail-over
wait-recover
fail-over
Established Sessions
Continue to use egress interface specified in PBF rule.
Continue to use egress interface specified in PBF rule.
Use path determined by routing table (no PBF).
Use path determined by routing table (no PBF).
New Sessions
Use path determined by routing table (no PBF).
Use path determined by routing table (no PBF).
Check the remaining PBF rules. If none match, use the routing
table.
Check the remaining PBF rules. If none match, use the routing
table.
