Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.0 Administration Guide
    7.4.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Active SIM card switching NEW

    Active SIM card switching NEW

    FortiGates with a cellular modem and dual SIM card can switch in real time from the active SIM card to the passive SIM card when any of the following issues arise with the active SIM card:

    • Ping link monitor fails. The SIM switch time depends on the link monitor parameters set.
    • An active SIM card cannot be detected. The SIM switch time is about 20 seconds after the SIM card is no longer detected.
    • A modem disconnection is detected, and a specified interval has elapsed. The SIM switch time occurs after the specified interval.

    SIM card switching events are captured in the FortiGate event log.

    Note

    In most cases, SIM cards come with the wireless carrier's APN, which is automatically retrieved at the first connection of the LTE modem. For these cases, you can use SIM cards for different wireless carriers in SIM slot 1 and slot 2.

    When one or both SIM cards require their APN settings to be configured on the FortiGate, then both SIM cards should be for the same wireless carrier because config system lte-modem currently only supports a single set apn < apn > setting.

    The following command and options can be used to configure this feature:

    config system lte-modem
    config sim-switch
        set by-sim-state {enable | disable}
        set by-connection-state {enable | disable}
        set by-link-monitor {enable | disable}
        set link-monitor <link-monitor-name>
        set sim-switch-log-alert-interval <interval>
        set sim-switch-log-alert-threshold <threshold>
        set modem-disconnection-time <integer>
    end
end

    by-sim-state {enable | disable}

    Enable switching based on active SIM card state:

    • enable: switch to the passive SIM card whenever FortiGate cannot detect the active SIM card, such as when the active SIM card is ejected.
    • disable: do not switch SIM cards based on state.

    by-connection-state {enable | disable}

    Enable switching based on the connection state of the active SIM card:

    • enable: switch to the passive SIM card whenever FortiGate detects a modem signal loss after the modem-disconnection-time expires.
    • disable: do not switch SIM cards based on the connection state.

    by-link-monitor {enable | disable}

    Enable switching when a configured link monitor fails:

    • enable: switch to the passive SIM card when a link monitor configured with link-monitor-name fails.
    • disable: do not switch SIM cards based on the failure of a configured link monitor.

    link-monitor <link-monitor-name>

    Specify the name of the link monitor to use with by-link-monitor.

    sim-switch-log-alert-interval <interval>

    Identify what number of constant SIM card switch events will trigger an event log after the threshold in sim-switch-log-alert-threshold is met.

    sim-switch-log-alert-threshold

    Specify how many minutes to wait before creating an event log when the number of SIM card switches defined in sim-switch-log-alert-interval is met.

    modem-disconnection-time <integer>

    Specify how many seconds to wait before switching over to the passive SIM card when by-connection-state is enabled and a modem signal loss is detected.

    Example 1

    In this example, automatic SIM card switching is disabled. When disabled, the SIM card only works in the default slot1, but you can manually switch the SIM card to slot2. Event logs include details about the SIM card switch.

    To manually switch a SIM card:

    1. Disable automatic SIM card switching:

      config system lte-modem
    config sim-switch
        set by-sim-state disable
        set by-connection-state disable
        set by-link-monitor disable
        set sim-slot 1
    end
end

    2. Manually switch the SIM card from slot1 to slot2, and run the following command:

      # execute lte-modem sim-switch

      The SIM card switch may take a few seconds. You can run diagnose system lte-modem sim-info to check the results.

      The following log is generated after unplugging an active SIM card:

      7: date=2023-05-02 time=10:41:05 eventtime=1683049264795418820 tz="-0700" logid="0100046518" type="event" subtype="system" level="information" vd="root" logdesc="LTE modem active SIM card switch event" msg="LTE modem active SIM card slot changed to 2 by user."

    Example 2

    In this section, automatic SIM card switching is enabled and configured to switch based on SIM state, connection state, or link monitor state, and it includes example event logs for each scenario.

    To enable automatic SIM card switching by SIM state:

    1. Enable automatic SIM card switching by SIM state:

      config system lte-modem
    config sim-switch
        set by-sim-state enable
    end
end

      With this configuration, the second SIM card becomes active when the active SIM card is no longer detected, for example, if the active SIM card is ejected. The following event logs are generated:

      5: date=2023-04-28 time=17:27:27 eventtime=1682728046989682780 tz="-0700" logid="0100046513" type="event" subtype="system" level="information" vd="root" logdesc="LTE modem data link connection event" msg="LTE modem data link changed from QMI_WDS_CONNECTION_STATUS_DISCONNECTED to QMI_WDS_CONNECTION_STATUS_CONNECTED"

6: date=2023-04-28 time=17:27:17 eventtime=1682728036493684280 tz="-0700" logid="0100046512" type="event" subtype="system" level="information" vd="root" logdesc="LTE modem SIM card state event" msg="LTE modem SIM card change from QMI_UIM_CARD_STATE_ABSENT to QMI_UIM_CARD_STATE_PRESENT"

7: date=2023-04-28 time=17:27:12 eventtime=1682728032589776580 tz="-0700" logid="0100046513" type="event" subtype="system" level="information" vd="root" logdesc="LTE modem data link connection event" msg="LTE modem data link changed from QMI_WDS_CONNECTION_STATUS_CONNECTED to QMI_WDS_CONNECTION_STATUS_DISCONNECTED"

8: date=2023-04-28 time=17:27:11 eventtime=1682728031245682560 tz="-0700" logid="0100046512" type="event" subtype="system" level="information" vd="root" logdesc="LTE modem SIM card state event" msg="LTE modem SIM card change from QMI_UIM_CARD_STATE_PRESENT to QMI_UIM_CARD_STATE_ABSENT"
    To enable automatic SIM card switching by connection state:

    1. Enable automatic SIM card switching by connection state:

      config system lte-modem
    config sim-switch
        set by-connection-state enable
        set modem-disconnection-time 30
        set sim-switch-log-alert-interval 15
        set sim-switch-log-alert-threshold 5
    end
end

      With this configuration, the second SIM card becomes active when the modem cannot establish a connection with the carrier through the active SIM card. For example, a FortiGate is in a room with poor signal quality. With this configuration, the SIM card switch is triggered after the modem is detected as disconnected for 30 seconds, and the following event log is generated:

      56: date=2023-05-01 time=11:14:56 eventtime=1682964896356933480 tz="-0700" logid="0100046519" type="event" subtype="system" level="notice" vd="root" logdesc="LTE modem active SIM card switched: modem disconnection detected" msg="LTE modem active SIM card slot changed to 2, due to modem connection down."

66: date=2023-05-01 time=11:14:13 eventtime=1682964852964869400 tz="-0700" logid="0100046519" type="event" subtype="system" level="notice" vd="root" logdesc="LTE modem active SIM card switched: modem disconnection detected" msg="LTE modem active SIM card slot changed to 1, due to modem connection down."

      When poor signal quality causes SIM cards to frequently switch back and forth, and the flapping rate occurs more than five times within the configured 15 minute time period, an event log is triggered to record the flapping severity:

      65: date=2023-05-01 time=11:14:13 eventtime=1682964853083194400 tz="-0700" logid="0100046521" type="event" subtype="system" level="warning" vd="root" logdesc="LTE modem active SIM card slot flipped back and forth in short time" msg="LTE modem switched SIM slot 8 times in last 15 minutes, which is greater than 5 times threshold."
    To enable automatic SIM card switching based on link monitor:

    1. Enable automatic SIM card switching by link monitor, and specify the link monitor:

      config system lte-modem
    config sim-switch
        set by-link-monitor enable
        set link-monitor "modem"
        set sim-switch-log-alert-interval 15
        set sim-switch-log-alert-threshold 5
    end
    config system link-monitor
    edit "modem"
        set srcintf "wwan"
        set server "8.8.8.8"
        set interval 1000
        set probe-timeout 100
        set failtime 3
        set recoverytime 8
    next
end

      With this configuration, the second SIM card becomes active when the link monitor detects the active SIM card exceeds the SLA.

    2. Check the link monitor status. In this example, the link monitor status is dead:

      # diagnose system link-monitor status modem

Link Monitor: modem, Status: dead, Server num(1), cfg_version=7 HA state: local(dead), shared(dead)
Flags=0x9 init log_downgateway, Create time: Fri Apr 28 16:34:56 2023
Source interface: wwan (19)
VRF: 0
Interval: 1000 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
  Peer: 8.8.8.8(8.8.8.8) 
        Source IP(10.192.195.164)
        Route: 10.192.195.164->8.8.8.8/32, gwy(10.192.195.165)
        protocol: ping, state: dead
                Packet lost: 11.667%
                MOS: 4.353
                Number of out-of-sequence packets: 0
                Recovery times(5/8) Fail Times(1/3)
                Packet sent: 60, received: 56, Sequence(sent/rcvd/exp): 61/61/62

      The following event log is generated when the link-monitor status is dead:

      15: date=2023-04-28 time=16:31:38 eventtime=1682724697936494139 tz="-0700" logid="0100046520" type="event" subtype="system" level="notice" vd="root" logdesc="LTE modem active SIM card switched: link monitor probe failure detected" msg="LTE modem active SIM card slot changed to 2, due to link monitor probe failures."

19: date=2023-04-28 time=16:31:13 eventtime=1682724673152506599 tz="-0700" logid="0100022932" type="event" subtype="system" level="warning" vd="root" logdesc="Link monitor status warning" name="modem" interface="wwan" probeproto="ping" msg="Link Monitor changed state from alive to dead, protocol: ping."
    Previous
    Next

    Active SIM card switching NEW

    Active SIM card switching NEW

    FortiGates with a cellular modem and dual SIM card can switch in real time from the active SIM card to the passive SIM card when any of the following issues arise with the active SIM card:

    • Ping link monitor fails. The SIM switch time depends on the link monitor parameters set.
    • An active SIM card cannot be detected. The SIM switch time is about 20 seconds after the SIM card is no longer detected.
    • A modem disconnection is detected, and a specified interval has elapsed. The SIM switch time occurs after the specified interval.

    SIM card switching events are captured in the FortiGate event log.

    Note

    In most cases, SIM cards come with the wireless carrier's APN, which is automatically retrieved at the first connection of the LTE modem. For these cases, you can use SIM cards for different wireless carriers in SIM slot 1 and slot 2.

    When one or both SIM cards require their APN settings to be configured on the FortiGate, then both SIM cards should be for the same wireless carrier because config system lte-modem currently only supports a single set apn < apn > setting.

    The following command and options can be used to configure this feature:

    config system lte-modem
    config sim-switch
        set by-sim-state {enable | disable}
        set by-connection-state {enable | disable}
        set by-link-monitor {enable | disable}
        set link-monitor <link-monitor-name>
        set sim-switch-log-alert-interval <interval>
        set sim-switch-log-alert-threshold <threshold>
        set modem-disconnection-time <integer>
    end
end

    by-sim-state {enable | disable}

    Enable switching based on active SIM card state:

    • enable: switch to the passive SIM card whenever FortiGate cannot detect the active SIM card, such as when the active SIM card is ejected.
    • disable: do not switch SIM cards based on state.

    by-connection-state {enable | disable}

    Enable switching based on the connection state of the active SIM card:

    • enable: switch to the passive SIM card whenever FortiGate detects a modem signal loss after the modem-disconnection-time expires.
    • disable: do not switch SIM cards based on the connection state.

    by-link-monitor {enable | disable}

    Enable switching when a configured link monitor fails:

    • enable: switch to the passive SIM card when a link monitor configured with link-monitor-name fails.
    • disable: do not switch SIM cards based on the failure of a configured link monitor.

    link-monitor <link-monitor-name>

    Specify the name of the link monitor to use with by-link-monitor.

    sim-switch-log-alert-interval <interval>

    Identify what number of constant SIM card switch events will trigger an event log after the threshold in sim-switch-log-alert-threshold is met.

    sim-switch-log-alert-threshold

    Specify how many minutes to wait before creating an event log when the number of SIM card switches defined in sim-switch-log-alert-interval is met.

    modem-disconnection-time <integer>

    Specify how many seconds to wait before switching over to the passive SIM card when by-connection-state is enabled and a modem signal loss is detected.

    Example 1

    In this example, automatic SIM card switching is disabled. When disabled, the SIM card only works in the default slot1, but you can manually switch the SIM card to slot2. Event logs include details about the SIM card switch.

    To manually switch a SIM card:

    1. Disable automatic SIM card switching:

      config system lte-modem
    config sim-switch
        set by-sim-state disable
        set by-connection-state disable
        set by-link-monitor disable
        set sim-slot 1
    end
end

    2. Manually switch the SIM card from slot1 to slot2, and run the following command:

      # execute lte-modem sim-switch

      The SIM card switch may take a few seconds. You can run diagnose system lte-modem sim-info to check the results.

      The following log is generated after unplugging an active SIM card:

      7: date=2023-05-02 time=10:41:05 eventtime=1683049264795418820 tz="-0700" logid="0100046518" type="event" subtype="system" level="information" vd="root" logdesc="LTE modem active SIM card switch event" msg="LTE modem active SIM card slot changed to 2 by user."

    Example 2

    In this section, automatic SIM card switching is enabled and configured to switch based on SIM state, connection state, or link monitor state, and it includes example event logs for each scenario.

    To enable automatic SIM card switching by SIM state:

    1. Enable automatic SIM card switching by SIM state:

      config system lte-modem
    config sim-switch
        set by-sim-state enable
    end
end

      With this configuration, the second SIM card becomes active when the active SIM card is no longer detected, for example, if the active SIM card is ejected. The following event logs are generated:

      5: date=2023-04-28 time=17:27:27 eventtime=1682728046989682780 tz="-0700" logid="0100046513" type="event" subtype="system" level="information" vd="root" logdesc="LTE modem data link connection event" msg="LTE modem data link changed from QMI_WDS_CONNECTION_STATUS_DISCONNECTED to QMI_WDS_CONNECTION_STATUS_CONNECTED"

6: date=2023-04-28 time=17:27:17 eventtime=1682728036493684280 tz="-0700" logid="0100046512" type="event" subtype="system" level="information" vd="root" logdesc="LTE modem SIM card state event" msg="LTE modem SIM card change from QMI_UIM_CARD_STATE_ABSENT to QMI_UIM_CARD_STATE_PRESENT"

7: date=2023-04-28 time=17:27:12 eventtime=1682728032589776580 tz="-0700" logid="0100046513" type="event" subtype="system" level="information" vd="root" logdesc="LTE modem data link connection event" msg="LTE modem data link changed from QMI_WDS_CONNECTION_STATUS_CONNECTED to QMI_WDS_CONNECTION_STATUS_DISCONNECTED"

8: date=2023-04-28 time=17:27:11 eventtime=1682728031245682560 tz="-0700" logid="0100046512" type="event" subtype="system" level="information" vd="root" logdesc="LTE modem SIM card state event" msg="LTE modem SIM card change from QMI_UIM_CARD_STATE_PRESENT to QMI_UIM_CARD_STATE_ABSENT"
    To enable automatic SIM card switching by connection state:

    1. Enable automatic SIM card switching by connection state:

      config system lte-modem
    config sim-switch
        set by-connection-state enable
        set modem-disconnection-time 30
        set sim-switch-log-alert-interval 15
        set sim-switch-log-alert-threshold 5
    end
end

      With this configuration, the second SIM card becomes active when the modem cannot establish a connection with the carrier through the active SIM card. For example, a FortiGate is in a room with poor signal quality. With this configuration, the SIM card switch is triggered after the modem is detected as disconnected for 30 seconds, and the following event log is generated:

      56: date=2023-05-01 time=11:14:56 eventtime=1682964896356933480 tz="-0700" logid="0100046519" type="event" subtype="system" level="notice" vd="root" logdesc="LTE modem active SIM card switched: modem disconnection detected" msg="LTE modem active SIM card slot changed to 2, due to modem connection down."

66: date=2023-05-01 time=11:14:13 eventtime=1682964852964869400 tz="-0700" logid="0100046519" type="event" subtype="system" level="notice" vd="root" logdesc="LTE modem active SIM card switched: modem disconnection detected" msg="LTE modem active SIM card slot changed to 1, due to modem connection down."

      When poor signal quality causes SIM cards to frequently switch back and forth, and the flapping rate occurs more than five times within the configured 15 minute time period, an event log is triggered to record the flapping severity:

      65: date=2023-05-01 time=11:14:13 eventtime=1682964853083194400 tz="-0700" logid="0100046521" type="event" subtype="system" level="warning" vd="root" logdesc="LTE modem active SIM card slot flipped back and forth in short time" msg="LTE modem switched SIM slot 8 times in last 15 minutes, which is greater than 5 times threshold."
    To enable automatic SIM card switching based on link monitor:

    1. Enable automatic SIM card switching by link monitor, and specify the link monitor:

      config system lte-modem
    config sim-switch
        set by-link-monitor enable
        set link-monitor "modem"
        set sim-switch-log-alert-interval 15
        set sim-switch-log-alert-threshold 5
    end
    config system link-monitor
    edit "modem"
        set srcintf "wwan"
        set server "8.8.8.8"
        set interval 1000
        set probe-timeout 100
        set failtime 3
        set recoverytime 8
    next
end

      With this configuration, the second SIM card becomes active when the link monitor detects the active SIM card exceeds the SLA.

    2. Check the link monitor status. In this example, the link monitor status is dead:

      # diagnose system link-monitor status modem

Link Monitor: modem, Status: dead, Server num(1), cfg_version=7 HA state: local(dead), shared(dead)
Flags=0x9 init log_downgateway, Create time: Fri Apr 28 16:34:56 2023
Source interface: wwan (19)
VRF: 0
Interval: 1000 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
  Peer: 8.8.8.8(8.8.8.8) 
        Source IP(10.192.195.164)
        Route: 10.192.195.164->8.8.8.8/32, gwy(10.192.195.165)
        protocol: ping, state: dead
                Packet lost: 11.667%
                MOS: 4.353
                Number of out-of-sequence packets: 0
                Recovery times(5/8) Fail Times(1/3)
                Packet sent: 60, received: 56, Sequence(sent/rcvd/exp): 61/61/62

      The following event log is generated when the link-monitor status is dead:

      15: date=2023-04-28 time=16:31:38 eventtime=1682724697936494139 tz="-0700" logid="0100046520" type="event" subtype="system" level="notice" vd="root" logdesc="LTE modem active SIM card switched: link monitor probe failure detected" msg="LTE modem active SIM card slot changed to 2, due to link monitor probe failures."

19: date=2023-04-28 time=16:31:13 eventtime=1682724673152506599 tz="-0700" logid="0100022932" type="event" subtype="system" level="warning" vd="root" logdesc="Link monitor status warning" name="modem" interface="wwan" probeproto="ping" msg="Link Monitor changed state from alive to dead, protocol: ping."
    Previous
    Next