Path Monitoring for PBF

Path monitoring allows you to verify connectivity to an IP address so that the firewall can direct traffic through an alternate route, when needed. The firewall uses ICMP pings as heartbeats to verify that the specified IP address is reachable.
A monitoring profile allows you to specify the threshold number of heartbeats to determine whether the IP address is reachable. When the monitored IP address is unreachable, you can either disable the PBF rule or specify a fail-over or wait-recover action. Disabling the PBF rule allows the virtual router to take over the routing decisions. When the fail-over or wait-recover action is taken, the monitoring profile continues to monitor whether the target IP address is reachable, and when it comes back up, the firewall reverts back to using the original route.
The following table lists the difference in behavior for a path monitoring failure on a new session versus an established session.
Behavior of a session on a monitoring failure
If the rule stays enabled when the monitored IP address is unreachable
If rule is disabled when the monitored IP address is unreachable
For an established session
wait-recover—Continue to use egress interface specified in the PBF rule
wait-recover—Continue to use egress interface specified in the PBF rule
fail-over—Use path determined by routing table (no PBF)
fail-over—Use path determined by routing table (no PBF)
For a new session
wait-recover—Use path determined by routing table (no PBF)
wait-recover—Check the remaining PBF rules. If no match, use the routing table
fail-over—Use path determined by routing table (no PBF)
fail-over—Check the remaining PBF rules. If no match, use the routing table

Related Documentation